Latest TrickBot Campaign Delivered via Highly Obfuscated JS File


Latest TrickBot Campaign Delivered via Highly Obfuscated JS File (Aug 5, 2019)

Another TrickBot variant has been identified by TrendMicro, spreading through spam. TrickBot has the ability to delete files located in removable and network drives, along with stealing information on the CPU, installed programs and services, IP configuration, memory information, network information, operating system, and user accounts. The trojan is spread through spam email prompting the user to open the attached Word document which contains a Javascript script disguised by using the same font colour as the background. Once running, the Javascript file checks the number of running processes, and continues only if there are enough running processes for evasion.

Recommendation: Always be on high alert while reading email, especially when it contains attachments. Use anti-spam and antivirus protection and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.