The Google Docs online word processor is being used by attackers to disseminate TrickBot banking Trojan payloads to unsuspecting victims via executables camouflaged as PDF documents.
Phishing is used by attackers to deceive their targets into handing over sensitive information using social engineering techniques by redirecting them to fraudulent websites they control or to deliver malicious payloads via e-mails designed to look like they’re sent by someone they trust.
The phishing messages delivered via this malspam campaign use legitimate messages generated by sharing a Google Docs document with the targets, containing a fake 404 error message and a link to the malicious payloads.
TrickBot payloads delivered via Google Docs
By using legitimate Google Docs document sharing emails and landing pages, the attackers successfully bypassed a secure email gateway designed to monitor emails and block such attacks in their tracks as Cofense’s research team discovered.
To redirect the targets to the Google Docs landing page, the attackers have added an “Open in Docs” button within the phishing email. Once on the landing page, the targets see the fake 404 error and are asked to download the document manually.
Instead of the promised document, the victims download the malicious payload camouflaged as a PDF document with a .pdf.exe extension by taking advantage of the default Windows setting which hides extensions for known file types.
After being executed, the malware will copy itself to multiple folders and will gain persistence by adding a scheduled task that will launch one of its copies on system startup and every 11 minutes for the next 414 days.
The banking Trojan will also inject itself into svchost processes and it will keep “launching more and more Svchost’s if you let it run. Each of these are typically responsible for a module of Trickbot,” as Cofense found.
The Cofense Phishing Defense Center provides indicators of compromise (IOCs) for this phishing campaign at the end of their write-up, including malware sample hashes, URLs and IP addresses used in the attacks.
Frequently upgraded and highly active banking Trojan
TrickBot (also known as Trickster, TrickLoader, or TheTrick), the malicious payload distributed through this phishing campaign, is an ever-evolving banking Trojan with continuously upgraded with new modules and capabilities since October 2016 when it was discovered.
While in the beginning it only exfiltrated as much sensitive data as possible to its operators, it is now also become a popular malware dropper capable of infecting compromised machines with other malware strains like ransomware.
TrickBot is one of the most aggressive malware these days after replacing Emotet as the most actively distributed strain via malspam campaigns, with upgrades added to new versions spotted by security researchers on an almost weekly basis,
In August, a new Trickbot Trojan variant was seen targeting Verizon Wireless, T-Mobile, and Sprint users to steal their PIN codes using new dynamic webinjects, hinting at the botnet’s operators possible involvement or plans of operating a SIM swap fraud scheme which would enable them to take full control over their victim’s phone numbers.
Just in July alone, the TrickBot Trojan was seen receiving a new IcedID proxy module to steal banking info upgrade, adding Windows Defender circumventing capabilities, as well as a module designed specifically for stealing browser cookies.
CrowdStrike and FireEye researchers also found in January that TrickBot was moving to an Access-as-a-Service business model allowing other threat actors to gain access to previously compromised machines and networks.
Once a device was infected and was added to the botnet, the Trojan would create reverse shells back for the ‘renters’ to use, as was the case for the hacker group behind Ryuk, allowing them to move laterally through the network and drop their payloads on other machines.
Phishers changing baits
Several other phishing campaigns using a broad range of techniques and methods for stealing their targets’ sensitive info were detected in the last couple of months.
For instance, this week attackers used fake resume attachments to deliver Quasar Remote Administration Tool (RAT) malicious payloads, while Instagram users were targeted with phishing emails using fake ‘failed login attempt’ warnings coupled with 2FA codes to make the scam more convincing.
Also in August, an unusual campaign probed email inboxes with emails linking to the targets’ company-branded Microsoft 365 tenant login pages.
Microsoft security researchers discovered yet another quite peculiar attack which employed custom 404 error pages to trick potential victims into handing out their Microsoft credentials.