Recent spam campaign from TrickBot authors imitates Dropbox emails
TrickBot emerged in 2016 as banking trojan and became famous for targeting various banking companies and their customers, including the online payment system giant PayPal. During the lifetime, authors of malware added improved its functionality and found new methods to reach potential victims.
Recently, security researchers discovered a new malspam campaign delivering TrickBot malware. Malicious emails are pretending to come from official Dropbox website; however, it is nothing but a hoax, trying to mimic the legitimate Dropbox in order to trick users into downloading malware on the system.
The phishing email displays the following information:
Subject: A new document is available for download
Your company administrator has uploaded a secure document for you or your company.
Your ID: [email address]
Your unique download key: 6M4V74YEVMDHGR
This string of letters and numbers is a unique ID for the document you received.
To view or print the document please click here [link til dropboxsec[.]com]
The document associated with this unique ID opens. You can now sign, download and save, print, and perform “More” actions on the document, depending on the permissions the sender has given you.
Please contact your administrator for more information.
– The Dropbox Team
As evident, clever social engineering is used to make email more believable. If the victim falls for the trick and clicks on the malicious link, the TrickBot payload is delivered instead of “secure document” from Dropbox.
The most recent variation of the virus contains screenlocker component
With the new malspam campaign, the latest version of the virus emerged. It was first spotted on 15th of March, 2018. Apparently, the new variant now contains a screenlocker element, targeting employees of organizations, who rarely use their online banking while at work. It seems like TrickBot, originally being banking trojan, developed into a malware dropper in recent years.
Initially, TrickBot dropped few modules into the victim's system, which were designed for different function. The primary module is known as a banking trojan (which allows the replacement of the original banking site). The second one was used to spread malware from contaminated computers. Finally, SMB worm was used to move between large networks.
The new spam email campaign that imitated Dropbox delivered a file called tabDll32.dll (or tabDll64.dll) which carries three other files, including:
- Spreader_x86.dll – SMB self-replicating worm spreads to other networked computers by exploiting EternalRomance and other vulnerabilities.
- SsExecutor_x86.exe – after the first module is established, this one is meant to root itself into the system to enable boot persistence.
- ScreenLocker_x86.dll – the last module is not entirely functional, as it only locks up victims’ screen but does not encrypt files.
TrickBot might evolve into full-blown ransomware virus
The latest version of the virus was designed to make the modules startup one after another, triggering the screen locker only after the worm has spread through the entire network. Researchers assume that the entire purpose of the TrickBot virus might change very soon if the lock screen functionality is fully developed. It will allow hackers to encrypt victims’ files and demand ransom in return for a decryption key.
This business model seems to be much more efficient, considering users who work in large organizations are less likely to use their personal e-banking. In comparison, locking hundreds of computers can bring much more profit to cybercriminals.
Even if the last module is not fully developed yet, the full working ransomware version might arise very soon. Therefore, we urge organizations’ employees and regular users to take precautions:
- Never open attachments or click on links in emails from an unknown source;
- Install a trusted security software and keep it up to date;
- Apply updates to the OS and applications as soon as they become available. These updates might patch flaws that can be exploited by crooks;
- Keep data backups and update it regularly;
- Set strong passwords for each of your accounts and change them at least once a year.