Latest variant of Trickbot propagated via URL Redirection

• Trickbot deploys additional modules for various nefarious tasks such as stealing browser data and system information, stealing credentials from Filezilla, Microsoft Outlook, and WinSCP.
• The malware is also capable of injecting malicious code into browsers for monitoring online banking activity, searching through files, profiling the network, and exploiting the MS17-010 vulnerability for lateral movement.

Security researchers from Trend Micro spotted a new variant of the Trickbot trojan that is distributed via Redirection URL in a spam email campaign.

How is Trickbot distributed?

• A spam email disguised as a processing order that is ready for shipping is sent to targets.
• The email includes tracking number for the package, standard delivery disclaimers, contact details of the purported sender, as well as social media icons in order to add legitimacy.
• However, the email contains an embedded malicious URL, which upon clicking redirects victims to a bogus website disguised as a webpage for reviewing online orders.
• This bogus site downloads a compressed file that contains a Visual Basic Script on to the victim’s computer.
• The VBS script downloads and executes the Trickbot malware.
• Once on the system, Trickbot deploys additional modules for various nefarious tasks such as stealing browser data and system information, stealing credentials from Filezilla, Microsoft Outlook, and WinSCP, injecting malicious code into browsers for monitoring online banking activity, searching through files, profiling the network, and exploiting the MS17-010 vulnerability for lateral movement.

Worth noting

“Although using a link in malspam to spread Trickbot is not a particularly new technique, the way it uses this old trick might be its latest attempt to bypass spam filters using “good URLs” and abuse their services and/or functions,” researchers said in a blog.

“Since the URL in the email is that of a well-known service, the cybercriminals behind Trickbot might be betting on “masking” its infection and getting in a few more clicks in the infection chain with a stealthier approach,” researchers added.

Attackers target unsuspecting victims

Jon Clay, marketing manager at Trend Micro, noted that attackers behind Trickbot know that users might easily fall prey to embedded URLs and are unsuspicious to click on the URL and ensure if it is a legitimate domain.

“Utilizing a URL redirection from a known domain is a tactic used by other bad actors to fool unsuspecting victims into thinking the embedded URL within an email is legitimate,” Jon Clay said.