Recent Posts

Recent Blog Posts

The PhishLabs Blog

New Phishing-Based TrickBot Campaign Identified

Posted by Olivia Vining on Jul 20, '17


This week, PhishLabs analysts have detected a new TrickBot campaign that began at approximately 23:30 EST on July 17th, and continued through the evening of July 18th before ending later that night.

Thousands of lures were detected, the bulk of which were sent between 12:30 - 15:30 EST on July 18th.

But let’s back up a little.

In case you missed it first time around, TrickBot is a prominent example of a type of malware known as a Trojan.  Like the Trojan from which it was developed, Dyre, Trickbot is configured to steal banking credentials. 

Once a victim's machine is infected, Trickbot sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. As a result, many victims are unaware their machine has been infected.

How It’s Being Spread

Our analysts have identified a new phishing campaign designed to spread the Trojan. And while the source isn’t yet clear, it wouldn’t be a stretch to imagine the threat actors responsible have returned to their old tricks.

Thankfully, there are some common factors in the lures our analysts have found so far. For a start, none of the lures have an email subject, and the body of each consists of a single sentence:

Your Payment is attached.

Equally, while sender addresses vary, they all follow the same format: no-reply@<random domain>

Finally, we come to the payload: Every lure comes with an attached .zip file, each with a unique filename according to the convention “”. While the naming convention is consistent throughout the identified lures, our analysts have observed at least 46 different MD5s associated with the malicious attachments.

The Payload

Once opened, the attached zip file contains two files: a .txt file, and a .vbs (Visual Basic Script) file.


TrickBot zip.png

The text file is harmless, containing only a few lines intended to indicate the fictional account number and time period of the “payment” being sent.

Clearly, the intention here is to communicate the legitimacy of the lure, although it must be said this is far from a sophisticated phishing campaign.

TrickBot txt file.png

The .vbs file, on the other hand, is far from harmless. When launched, it attempts to make contact with several malicious domains in order to download the encrypted file 56evcxv? which is subsequently converted to BhHuVBiLxIU.exe

Our analysts have conducted a detailed examination of a sample payload from the campaign, and found the domains/IPs contacted in that instance were (, (, and (

Once again, the endgame for TrickBot malware is severe. Successful infections result in a threat actor collecting victim’s banking credentials.

Always Be Watchful

The thing about these types of campaigns is that they are happening all the time. In this case our analysts were able to identify and study the campaign very early on, but in many other cases this simply isn’t possible.

So naturally, our advice remains the same: Do not assume everything in your inbox is legitimate.

If you see something that doesn’t seem right (in this case an unexpected payment) exercise extreme caution. Don’t respond, don’t follow any embedded links, and absolutely don’t open any attachments.


Zip: 1e7bd517fe6828a05a360c7532af76d3

Text File: 9f9fbe9def21b84156d1de370c775b10

VBS: 9fd4a3a4550ee8aa515281fd6350543a

EXE: 747a388e0fc450225700856fbd5b2569

Topics: Phishing, TrickBot

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all