Skip to main content

Masrv Network Scanner

A recently-discovered network reconnaissance module for the Trickbot banking trojan that incorporates the Masscan open source scanning tool.

Threat ID:
CC-3755
Category:
Backdoor
Threat Severity:
Low
Threat Vector:
Email spam
Published:
12 February 2021 2:10 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A recently-discovered network reconnaissance module for the Trickbot banking trojan that incorporates the Masscan open source scanning tool.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

Masrv is a recently-discovered network reconnaissance module for the Trickbot banking trojan that incorporates the Masscan open source scanning tool.

Delivery

Trickbot is understood to be primarily delivered through mass spam campaigns.

Activities

When executed, Masrv requests information from a command and control (C2) server. Because Masscan requires a low-level packet filter to operate it will attempt to load NPcap\packet.dll, and will install this from the C2 server if it does not exist on the infected host. Masrv will attempt to initialise the network adapter or, in the event of failure, retrieve information from the system's ARP table. Then Masrv tests IP addresses by pinging a Google DNS server with the source set to the IP address being tested. Masrv collects and sends any open ports discovered on any of the IP ranges that were provided.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Host indicators

File hashes (SHA-256):

  • 2c29de91a5be3bffafb521e04b88819d23c6f71843c8f2d54516ec2afefd24c6
  • e1c5a377450d04372bfe9d943d322fbdd53c274c3772836eb044fd2a4b08a870

Module names:

  • masrvDll32
  • masrvDll64

PDB paths:

  • D:\Project\masrv\build-masrv\debug\Desktop_msvc_15_0_32bit\masrv.pdb
  • D:\Project\masrv\build-masrv\debug\Desktop_msvc_15_0_64bit\masrv.pdb

YARA rule:

rule Trickbot__masrvDll
{
    meta:
        id = "4kWjG0InTDyHiur8cCzPeG"
        fingerprint = "3e91c19602340a43e026ffdb23b1d6a0c4e186d67f743e962c75aa51ea0c4d1c"
        version = "1.0"
        first_imported = "2021-01-29"
        last_modified = "2021-01-29"
        status = "RELEASED"
        sharing = "TLP:WHITE"
        source = "KRYPTOS LOGIC"
        description = "Detects Trickbot masrvDll module"
        category = "MALWARE"
        malware = "BOT"

    strings:
        $a = "http://127.0.0.1:8080/gid/uid/pcap.exe"
        $b = "c:\\\\temp\\\\maserv.txt"
        $c = "Send cmd to server: %s\\r\\n"
        $d = "HTTP message success: URI=%s DATA=%.*s\\r\\n"

    condition:
        all of them
}

Last edited: 21 December 2021 9:56 am