Trickbot, one of the persistent banking trojans these days, has been spotted with another spam campaign. This time the attackers have impersonated the prominent business analytics company, Dun & Bradstreet.
Spam emails touted as ‘complaint’ are found containing malicious macros that deliver Trickbot. It is reported that this Trickbot campaign was directed at people in the US.
The big picture
Domains registered in GoDaddy - This latest campaign’s emails were also observed to have multiple domains registered on GoDaddy.
“Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules, we cannot easily find the registrants name or any further details. dnbcomplaint.com hosted on & sending emails via 95.211.143[.]199 | 185.203.33[.]172 | 95.211.197[.]182 | 85.17.76[.]82,” myonlinesecurity.co.uk reported.
What can be done to prevent the infection?
Users are advised to disable macros from automatically opening in the Word doc. Newer versions of Microsoft Word usually have macros disabled by default.
Furthermore, any Word file received through emails should be opened in “protected view” which terminates malicious activities such as malware or DDE exploits, from running in the system.