Trickbot trojan evades Proofpoint gateway using Google Docs

• Once the victims click on the link, they are redirected to a genuine Google Docs page which contains a fake 404 error message and another embedded link.
• The malicious payload is downloaded as a PDF file on victims’ computers.

The ever-evolving Trickbot trojan is never leaving a chance to surprise security analysts. This time the malware has made it through Proofpoint’s gateway using a Google Docs link.

How does it operate?

According to researchers from Cofense, threat actors behind the phishing campaign delivered the Trickbot embedded in a Google Docs link. Since Google Docs is a trusted and legitimate application, it simplified the job of threat actors to bypass the email gateway and lure users to click the link.

To arise curiosity among the recipients, the email goes with a message which says, “Have you already received documentation I’ve directed you recently? I am sending them over again.”

Once the victims click on the link, they are redirected to a genuine Google Docs page which contains a fake 404 error message and another embedded link. The recipients are then tricked into downloading the document manually via the link which actually downloads the malicious payload. This malicious payload is downloaded in the form of a PDF file on victims’ computers.

“Once the URL links to a file hosted on Google drive, it downloads a Review_Rep.19.PDF.exe which has been disguised as PDF file. Many recipients will not see the .exe file extension. It’s something that you need to specifically enable in Windows. So, to them it looks like a legitimate PDF file since the attacker uses the icon for a PDF,” added the researchers.

What happens next?

Once the payload is executed it creates a copy of itself in C:\ProgramData, where it undertakes control over the execution of the malware. Furthermore, it creates another copy in “C:\Users\REM\AppData\Roaming\speedLan” which also includes the config file for Trickbot.

The trojan also sets a task that starts the malicious file from the ‘Speedlan’ folder. By looking at the Triggers tab, researchers note that ‘it has been set to repeat itself every 11 minutes for 596843 minutes for this particular version of Trickbot.’