- The affected states include California, Maryland, Illinois, New York, Texas, Minnesota, and New Jersey.
- The attacks were carried out using phishing emails.
The infamous TrickBot trojan has returned in a massive phishing attack targeting several states in the U.S. The affected states include California, Maryland, Illinois, New York, Texas, Minnesota, and New Jersey.
How did it operate?
According to researchers from 360 Total Security Center, the attacks were carried out using phishing emails.
- The phishing emails included two sensitive texts such as ‘receipt’ and ‘invoice’ to trick the users into opening the attachment.
- The attachment was disguised as Zip file and contained two files, namely ‘Attention.txt’ and ‘ReceiptandInvoice’.
- The ‘Attention.txt’ file was designed to lure victims into opening the second file.
- The ‘ReceiptandInvoice’ file is only a shortcut to the icon disguised as an invoice message. Once a victim clicks on the file, it triggers the VBS script and ultimately results in the download of the trojan.
How does TrickBot evade detection?
After TrickBot is successfully installed, it uses a variety of code obfuscation techniques to hide itself. The modules used by the malware are:
- Wormdll32 - It is a worm module that infects workstations or servers that use the SMB and LDAP protocols.
- Psfin32Dll - It is used to query the Active Directory Services (ADS) domain through LDAP statements.
- network32Dll - It is used to collect information about the current network.