Recently, Subway UK confirmed that its marketing system was hacked and it was used to send out the notorious Trickbot malware-laden phishing emails to its customers. The story roots back to when BleepingComputer had observed a massive phishing campaign, pretending to be order confirmations from Subcard of Subway UK, that targeted people from the U.K.
A highly-targeted Subway phishing campaign
- The threat actors were successful in gaining access to Subway UK customers' names and email addresses by hacking a Subcard server responsible for its email campaigns.
- The Subcard server was used to send out malicious emails including a link to a weaponized Excel document containing an order confirmation.
- These links redirected the users to various hacked websites such as FreshBooks phishing page, etc. which will download a password-protected Excel spreadsheet.
- The Excel documents would ultimately install the recently observed latest version of the TrickBot malware (TrickBot v100).
- The analysis shows that the downloaded TrickBot malware is a DLL that will be injected into the legitimate Windows Problem Reporting executable directly (wermgr.exe) from memory to evade detection by security software and will look like a legitimate process in Task Manager.
Recent Trickbot incidents
- In early-December, TrickBot malware was seen expanding its toolset by adding TrickBoot to inspect the UEFI/BIOS firmware of targeted systems, granting the attackers an effective mechanism of persistent malware storage.
- In November, TrickBot operators had added the LightBot tool to its arsenal to scope out an infected victim's network for high-value targets.
Experts recommend infected users to check for the current version of TrickBot by opening Task Manager and looking for a process named 'Windows Problem Reporting.' If that process is found, users should click on the End Task button, to terminate it. The versatility of Trickbot malware yet again shows how persistent Trickbot malware operators are.