VERY IMPORTANT

Since June 2018, I have posted examples of Trickbot infection traffic with SMB propagation on malware-traffic-analysis.net, showing Trickbot moving from an infected Windows client to a vulnerable Active Directory (AD) domain controller. Trickbot’s lateral movement over SMB is distinctly different than WannaCry’s implementation of EternalBlue noted in 2017, so this method of SMB propagation appears to be based on a different exploit developed by Trickbot authors. Trickbot normally has its own malspam-based distribution channel, but now Trickbot attackers are also using Emotet for their infections.