Recent Posts

Recent Blog Posts

The PhishLabs Blog

Active TrickBot Campaign Observed Abusing SendGrid and Google Docs

Posted by Michael Tyler on Nov 26, '19

TrickBotPhishLabs has observed an active TrickBot campaign targeting the employees of multiple organizations. Trickbot is a sophisticated successor of the Dyre Banking Trojan. It uses an intricate network of command and control servers (C2), web injects, and customized redirection attacks that leverage HTML or JavaScript injections to target numerous financial institutions across many geographies and language zones.

Trickbot also contains additional functionality that makes it highly effective as an information-stealing tool.

Traditionally, Trickbot tends to be downloaded by the Bartalex downloader trojan, which is itself dropped by a booby-trapped Microsoft Office document sent as an attachment to the lure. However, this campaign breaks with tradition by using links as an infection vector. The links abuse SendGrid, a popular email delivery platform, to improve the deliverability of the lure messages. Fortunately, SendGrid has been observed rapidly taking down and mitigating the detected malicious links.

Observed Information and Social Engineering

The current active campaign shares several social engineering tactics that implore a victim to fall for the lures:

  • Lures using fear and curiosity prompt interaction with themes involving termination, meetings with lawyers, customer complaints, and payouts.
  • The use of RE: in the subject line is meant to imply that it is a continuation of some previous conversation.
  • The SendGrid infrastructure is used to leverage domain and link reputation. It is increasingly common to see mail delivery providers being abused for their reputation and obscuring of the link. This causes problems for users trained to examine a link before clicking since the click-tracking link used by SendGrid obscures the final destination. Further, the popularity of these services can condition users to no longer see these click-tracking services as a potential threat.
  • The SendGrid links send the user to Google Docs which prompts the user to download a secure document. This continues the theme of abusing domain reputation and abuse of legitimate infrastructure.
  • The end result is downloading an .exe file which, when detonated, attempts to install Trickbot.

Industries and Targets Observed

PhishLabs has observed multiple industries targeted by this attack. The attacker is leveraging some level of lure customization. This implies that targets were not chosen totally at random, but a focus on a particular organization or sector was not observed.

Handling Related Threats

Effectively defending against lures of this type requires effectively coaching end-users to PAUSE and ensure the email is, in fact, legitimate before interacting with it. While the social engineering tactics at play here are effective emotional triggers, a user who actually stops to consider the plausibility of the email will find that the lure does not actually make sense.

Training should focus on how to spot suspicious emails, how to report them through forwarding or a button, and why they should not click on suspicious links even with familiar domains.

PhishLabs can also proactively detect, analyze, and automatically mitigate these threats through our Email Incident Response solution.

Observed indicators

The emails submitted by several of our clients contained three separate lures. Within the lures, the emails urge the victim to click a link to view a sensitive document, at which point they are prompted to download the Trickbot Banking Trojan.

Of note, the lures are being sent from unrelated domains, likely from compromised accounts. Of the examples shown, one comes from a car dealership and the other an educational institution. The excuse the threat actor provides to cover this piece of information is that they are an outsourced HR vendor.

Observed Subject Lines

The following subject lines have been observed so far. Within each, we have redacted the names of financial institutions whose customers are being targeted. Regardless of the variety in subject lines, the tactics and social engineering within the phishing lure email share the same characteristics (sensitive and important documentation).

  • Re: Termination for Lorrie Onaga in [Redacted Organization Name]
  • Re: Our meeting in [Redacted Organization Name] office
  • RE: payout from [Redacted Organization Name] for [Redacted Individual Recipient]

Topics: Banking Trojan, TrickBot

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all