Attackers create fake Office 365 site to push TrickBot trojan
- TrickBot password-stealing trojan is disguised as Chrome and Firefox browser updates to deceive users.
- The fake Office 365 website looks very similar to any site of Microsoft.
A new malware-attack campaign that makes use of a fake Office 365 website has been discovered recently. The campaign is used to deliver TrickBot password-stealing trojan disguised as Chrome and Firefox browser updates.
How does it work?
As per Bleeping Computer, the fake Office 365 website looks very similar to any site of Microsoft. In fact, all of its links point to pages hosted on Microsoft domains.
Users visiting this fake website will be displayed with an alert about updating their browsers with the latest version. The alert format is slightly different for Chrome and Firefox users.
How does it look on browsers?
If a user using Google Chrome visits the fake website, then they will be shown an alert titled ‘Chrome Update Center’. The alert informs the user that the Chrome browser needs to be updated as using the older version could lead to loss of data and browser errors.
Similarly, Firefox users will see an alert titled ‘ Firefox Update Center’. The content of the alert will be the same as that displayed to Chrome users.
Execution of TrickBot
When the ‘Update’ button is clicked, an executable named ‘upd365_58v01.exe is downloaded. This executable later downloads the TrickBot trojan on the computer. The trojan is disguised as a svchost.exe process in order to make it invisible in Task Manager.
Advise for users
If you have come across any of these pages and clicked on the ‘Update’ button, then you should immediately perform security scans on your computer. It is also recommended to change the passwords of the accounts you commonly use or have saved in your browser.