Fake Dun & Bradstreet Company Complaint Delivers Trickbot
(Mar 6, 2019)
A phishing email has been observed to be targeting users by masquerading as a company complaint email from "Dun and Bradstreet," a commercial data and analytics organisation, to install the Trickbot banking trojan. The email is from "email@example.com" which is a typosquatted email address to trick users into opening the email attachment and enable macros in the document. If a user enables macros, the malware will drop several .bat files into the temp folder on a user' machine than renames the "bitsadmin.exe" to "ld0CIC0.exe" to bypass security software detection. The malware then calls out to a specified download site then downloads multiple binary files that create the full Trickbot payload to install on the infected machine.
Recommendation: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.