Trickbot issue on production network.

Currently using Palo Alto firewalls.  Can you block access at your router then?

Ive looked on the routers and they dont appear to have the option to block IPs only domains, they are only basic Netgear routers, the only trouble since we arent very big weve not had the need for any enterprise equipment so struggling a bit now :-(

Ive looked on the routers and they dont appear to have the option to block IPs only domains, they are only basic Netgear routers, the only trouble since we arent very big weve not had the need for any enterprise equipment so struggling a bit now :-(

 

Have you considered swapping your consumer grade Netgear router for something a little more powerful, offering you some customization to your firewall rules?  Even a small Ubiquiti Edgerouter will offer custom firewall settings and they are still under $100. 

 

I think it's safe to say now that since blocking the IPs we discussed earlier and extensively cleaning my machines/servers, I haven't seen the infection popping up any more.  Since we determined it was only spreading between domain connected PCs, I shut every machine listed in AD down and made sure they were clean 1-by-1.  Symantec Endpoint did clean the malware and appears to be preventing re-infection.

I think its something we are definitely going to have to do, Ill get some new routers in next week and block those IPs and perhaps purchase endpoint protection for the server for the servers at least to clean them out, the pcs seem to be clean now, especially after turning off file and print sharing and network discovery, that seems to have helped so far, just the servers I need to tackle for the moment, thank you, I hope I get this sorted soon, although it is on the servers it doesnt seem to be effecting anything or stopping us from doing anything just more that it is there and needs to be gone now

I don't know how many machines you have, but one thing that may be simple, is to create you a hosts file to block these IP addresses, then add the hosts file into every computer.  Use it like a block/redirect.

 

https://helpdeskgeek.com/how-to/block-websites-using-hosts-file/

You know thats a really good idea, just might be worth a shot for a quick short term solution, weve got 42 computers, so could take a little while but shouldnt be too bad to implement, thank you so much, I really appreciate all your advise on this, think sometimes I lot of stuff can easily be overlooked when your so worm out trying everything but lol

Glad to help, and hopefully it will actually help.  I would create the file and ping one of the bad IP addresses, and possibly run a tracert to that IP.  Create your Hosts file with all the bad IP's resolving to wherever or to an IP that's 127.0.0.1 (localhost) and then run a tracert again to that same IP and make sure it is now being redirected.  If it is still going through the same hops then it isn't working as intended.  At that point, copy that file to the other machines, preferably through \\ComputerName\c$\WINDOWS\system32\drivers\etc.  From there you could psexec (if installed) into it and see if it works.  Trying to save you some leg work and possibly give you some peace of mind until you can possibly get in a better solution.

Ill give it a try thank you so much! Hopefully the host file will allow it because I think I may have tried something similar before and DNS didnt allow the entry of the IP I wanted to redirect pointing to the local host

FYI:  Running reports today I found a new folder name by the virus:  \AppData\Roaming\wsxmail with the same tttvc.exe file.

Hi there, ah yes I found that folder when it all first come about but it was empty as Malwarebytes detected the files within and quaretined them, did you notice the modified date? Was it a recent entry or an old one? What I did was ran a search on the entire c: drive for most recent changed files and deleted all of the obvious files and folders!

Malwarebytes has finally managed to deleted all the crap and registry files and folders, day two now and completely clean, fingers crossed. Also checked all outbound connections and not one machine on the network is even trying to connect to any of those dodgy IP addresses!

For those of you who are getting re-infected: local accounts on your domain members. Check em. Secure em.

 

I've been tracking this thing on a customer's network for a little over a week now; looks like infection date was mid May.  We are seeing all the inject.dll ( and associated files ) and the stcsvc.exe executable and also scheduled task creation which duplicates all the command files into %APPDATA% upon user login.   A combination of ESET and MBytes seems to work well in cleaning it, but I'm still suspicious about what my svchost processes are trying to talk to ( use WFC and a good firewall to indulge this paranoia ). Sorry this is some sloppy shorthand but you probably know what I mean. Now for the meat: 

 

If you're getting re-infected, check 2 things off your list as well:

 

1.     If you've ever used the ole password reset trick where you replace utilman.exe with cmd.exe; FIX IT NOW.  Even on  server 2008R2 machines with NTLM authentication only, once this bug is on your LAN it will find this hole and stretch it to maximum. 

 

2.     Notice that if you run an windows domain, all your domain member servers still have local accounts on them, and those accounts are vulnerable Realize that default Microsoft GPO does not give you a way to  centrally enable lockout policy on the local accounts. Find a way to lock those down. I suggest changing local account names to nonstandard names AND setting a lockout policy for local accounts.  If you're only dealing with a few servers, you might as well do this by hand. If you're dealing with many more, look for a way to do it via PowerShell or custom GPO.

 

Hope my two cents helps somebody. Thanks for posting about your various experiences. I thought I was crazy when I saw this thing. Had never heard of it before a couple of weeks ago. 

 

PJ

 

 

 

I'm uploading a copy of what I believe is an example of this infection ... 
 

 

See the submission portal.

 

 

Thanks!