TrickBot payload is inserted into a malicious MS Excel document, attached to a phishing email that pretends to be from a North American bank
A new version a notorious banking trojan TrickBot was spotted in the wild by security researchers from Blue Hexagon. In addition to its already-known anti-debugging techniques, this variant uses an improved encryption procedure in the Powershell script, as well as a more sophisticated data-stealing module. Additionally, the threat is now actively targeting cryptocurrency wallets.
Researchers explained in the blog post, that the threat is delivered with the help of a new phishing campaign that begins as a malicious Excel document attached to a spoofed email, which allegedly comes from American banks like JP Morgan Chase or Bank of America.
Once the permission to run macros is granted, the script downloads and installs TrickBot payload, which is hosted on hacked websites, including Jamaican Police Department in Texas and Canadian CPA firm. Due to its improved functionality, malware successfully avoids the detection by most AV engines, although the rate is improving over time.
The phishing email
One of the examples that deliver the new variant of TrickBot comes from an email address Sarah.Kochan@tdbankmail.com, an alleged TD Bank representative. Looking at the body and subject (Company ACH file failure) of a phishing email, it seems like it is rather directed to the IT personnel instead of general staff. The message reads:
Hi there, I see a file failed today and another on Feb 01. The failed reason is the hash totals not matching the file.
Do you know if something is being deleted after the file is generated from the software? This could cause the hash total differences.
I have attached the file to this email, please check and get back to me.
Sarah Kochan | CM Technical Spec I | CP&S
Mailstop NJ5-002-121 | 6000 Atrium Way, Mt. Laurel, NJ 08054
T: 856-533-4784 | F: 856-533-6570 | Client Support: 866-475-7262
The bank that the crooks are representing, TD Bank, has not been hacked or email compromised. Hackers use a simple trick to imitate governmental institutions, high-profile companies, banks, health sectors, and similar. They merely create a new domain containing a name which closely resembles the genuine ones. Thus, if not looking carefully, users can easily not notice the deception.
TrickBot – an ever-evolving threat that is expanding its campaigns
The blog post authors Irfan Asrar and Mehdi Ansari noted that TrickBot previously targeted European banks like Lloyds. Nevertheless, experts did not notice any signs of the new malware variant moving towards European users:
Compared to previous campaigns, there is a distinct shift in tactics. There has always been a unique focus on European banks by TrickBOT more than North American banks, but after a few days of monitoring, we still have not seen the new campaign move into Europe. We expect the next big push will be using themes around European banks; if not, this will signal a new direction as far as business tactics go for the authors of TrickBOT.
TrickBot is one of the most prolific data-stealing threats that has been propagated with the help of malicious spam emails and has been improved in its functionality several times. In its previous campaigns, TrickBot managed to encrypt files, lock the screen and utilize EternalBlue exploit. It seems like developers are not backing, as new and improved variants keep emerging.
As usual, we recommend users to be careful when it comes to phishing emails. If you received an email from a particular body that demands you to click on links or open an attachment – use extreme caution. Never enable macros in MS Office documents. Additionally, make sure your office suite is up to date, because older versions might not prompt a warning and will infect your computer straight away.