Trickbot Watch: Arrival via Redirection URL in Spam (May 20, 2019)
Trend Micro researchers have found a variant of the banking trojan “Trickbot” being distributed via spam emails that attempt to trick the recipient into following a malicious URL. The spam email purports that an order has been processed and to visit a hyperlink for payment reference; it even adds social media tags at the body of the email in attempts to appear more authentic. This Trickbot variant was observed using “Google to redirect from the URL hxxps://google[.]dm:443/url?q=,” with the query string being the malicious URL that downloads Trickbot. The downloader page impersonates an order review page that claims that the order review will be downloaded in three seconds. The download is a .zip file containing a Visual Basic Script (VBS) that is actually the Trickbot downloader. Trickbot has numerous malicious capabilities such as stealing browser data, credentials, and system information, among other functions.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.