Attackers are using Google Docs to deliver the TrickBot banking Trojan to unsuspecting victims via camouflaged as PDF documents.
Security experts at Cofense uncovered a
TrickBot is a popular banking Trojan that has been around since October 2016, its authors has continuously upgraded it by implementing new features. For example, in February Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.
Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.
Recently researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic
“The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link.” reads the analysis published by
The Google Docs document shared with the targets containing a fake 404 error message and a link to the malicious payloads, by using this scheme the attackers successfully bypassed a Proofpoint secure email gateway used by one of Cofense customers.
The spam messages include an “Open in Docs” button, once clicked the victims will be redirected to the Google Docs landing page containing the fake 404 error and are instructions to manually download the document.
The victims download the malicious payload camouflaged as a PDF document (with a
Once the payload is executed, it will copy itself (egолаСывЯыФЙ) to multiple folders and add a scheduled task to gain persistence. The task will launch one of its copies
“This then hollows out Svchost, injects its malicious code, and launches it. It keeps launching more and more Svchost’s if you let it run. Each of these