New Trickbot variant found using highly obfuscated JS file for propagation

• The malware variant is capable of stealing various system information.
• The new variant is named as TrojanSpy.Win32.TRICKBOT.TIGOCDC.

A new variant of Trickbot trojan named TrojanSpy.Win32.TRICKBOT.TIGOCDC has been discovered recently. The variant leverages a heavily obfuscated JavaScript file for propagation.

What are its capabilities?

Discovered by researchers from Trend Micro, the malware variant is capable of stealing various system information. This includes OS, CPU, memory information, user account, installed programs & services, and IP configuration. It is also capable of capturing network information such as configuration, users and domain settings.

The Trickbot variant also gathers credentials from the various applications including Filezilla, Microsoft Outlook, PuTTy, RDP, VNC, and WinSCP.

From the web browser, the malware can steal Autofills data, billing info, browser history, credit card data, internet cookies, usernames, and passwords.

The malware also uses a PoS extraction module called psfin32 which identifies PoS-related terms located in the domain of interest.

How does it spread?

The attackers gain initial entry into systems through phishing emails that purport to be a subscription notification. The email informs that an application that includes a three-year subscription and settled sum of money has been sent on behalf of the user. It ends by prompting the users that should check the details of all the settlement and subscription information by visiting the attached document.

However, the document contains malicious JS script and once if it is opened, results in the download of the malware variant.

“Upon successfully deobfuscating the file, we were able to analyze it and observed some interesting behaviors. Upon execution, it will display a fake Microsoft error to trick the user with an error message that pops up after enabling the macro. But actually, the JS file is already running in the background,” researchers explained.

How widespread is the infection?

Based on Trend Micro’s telemetry, this Trickbot campaign has affected the United States the most. It has also distributed spam to China, Canada and India. For maintaining persistence, the malware creates a copy of itself into the Startup folder as Shell.jse.