This week, PhishLabs analysts have detected a new TrickBot campaign that began at approximately 23:30 EST on July 17th, and continued through the evening of July 18th before ending later that night.
Thousands of lures were detected, the bulk of which were sent between 12:30 - 15:30 EST on July 18th.
But let’s back up a little.
In case you missed it first time around, TrickBot is a prominent example of a type of malware known as a Trojan. Like the Trojan from which it was developed, Dyre, Trickbot is configured to steal banking credentials.
Once a victim's machine is infected, Trickbot sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. As a result, many victims are unaware their machine has been infected.
How It’s Being Spread
Our analysts have identified a new phishing campaign designed to spread the Trojan. And while the source isn’t yet clear, it wouldn’t be a stretch to imagine the threat actors responsible have returned to their old tricks.
Thankfully, there are some common factors in the lures our analysts have found so far. For a start, none of the lures have an email subject, and the body of each consists of a single sentence:
“Your Payment is attached.”
Equally, while sender addresses vary, they all follow the same format: no-reply@<random domain>
Finally, we come to the payload: Every lure comes with an attached .zip file, each with a unique filename according to the convention “doc000#################.zip”. While the naming convention is consistent throughout the identified lures, our analysts have observed at least 46 different MD5s associated with the malicious attachments.
Once opened, the attached zip file contains two files: a .txt file, and a .vbs (Visual Basic Script) file.
The text file is harmless, containing only a few lines intended to indicate the fictional account number and time period of the “payment” being sent.
Clearly, the intention here is to communicate the legitimacy of the lure, although it must be said this is far from a sophisticated phishing campaign.
The .vbs file, on the other hand, is far from harmless. When launched, it attempts to make contact with several malicious domains in order to download the encrypted file 56evcxv? which is subsequently converted to BhHuVBiLxIU.exe
Our analysts have conducted a detailed examination of a sample payload from the campaign, and found the domains/IPs contacted in that instance were kleintierpraxiskloten.ch (126.96.36.199), projector23.de (188.8.131.52), and pluzcoll.com (184.108.40.206).
Once again, the endgame for TrickBot malware is severe. Successful infections result in a threat actor collecting victim’s banking credentials.
Always Be Watchful
The thing about these types of campaigns is that they are happening all the time. In this case our analysts were able to identify and study the campaign very early on, but in many other cases this simply isn’t possible.
So naturally, our advice remains the same: Do not assume everything in your inbox is legitimate.
If you see something that doesn’t seem right (in this case an unexpected payment) exercise extreme caution. Don’t respond, don’t follow any embedded links, and absolutely don’t open any attachments.
Text File: 9f9fbe9def21b84156d1de370c775b10