Subway UK Marketing System Hacked to Send TrickBot-Laden Phishing Emails

A highly-targeted Subway phishing campaign

• The threat actors were successful in gaining access to Subway UK customers' names and email addresses by hacking a Subcard server responsible for its email campaigns.
• The Subcard server was used to send out malicious emails including a link to a weaponized Excel document containing an order confirmation.
• These links redirected the users to various hacked websites such as FreshBooks phishing page, etc. which will download a password-protected Excel spreadsheet.
• The Excel documents would ultimately install the recently observed latest version of the TrickBot malware (TrickBot v100).
• The analysis shows that the downloaded TrickBot malware is a DLL that will be injected into the legitimate Windows Problem Reporting executable directly (wermgr.exe) from memory to evade detection by security software and will look like a legitimate process in Task Manager.

Recent Trickbot incidents

• In early-December, TrickBot malware was seen expanding its toolset by adding TrickBoot to inspect the UEFI/BIOS firmware of targeted systems, granting the attackers an effective mechanism of persistent malware storage.
• In November, TrickBot operators had added the LightBot tool to its arsenal to scope out an infected victim's network for high-value targets.

Preventive measures