Malspam campaign bypasses secure email gateway using Google Docs

Attackers are using Google Docs to deliver the TrickBot banking Trojan to unsuspecting victims via camouflaged as PDF documents.

Security experts at Cofense uncovered a malspam campaign the leverages Google Docs to deliver the TrickBot banking Trojan to unsuspecting victims via executables camouflaged as PDF documents.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors has continuously upgraded it by implementing new features. For example, in February Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.

Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.

Recently researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic webinjects in attacks aimed at U.S. mobile users.

“The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link.” reads the analysis published by Cofense. “The email attempts to lure curious users to click on the link: “Have you already received documentation I’ve directed you recently? I am sending them over again.” This is a legitimately generated email by Google Docs when a file is shared by one of its subscribers. Unknowingly, the recipient is directed to a document hosted on Google that contains a malicious URL.”

The Google Docs document shared with the targets containing a fake 404 error message and a link to the malicious payloads, by using this scheme the attackers successfully bypassed a  Proofpoint secure email gateway used by one of Cofense customers.

The spam messages include an “Open in Docs” button, once clicked the victims will be redirected to the Google Docs landing page containing the fake 404 error and are instructions to manually download the document.

Google Docs malspam

The victims download the malicious payload camouflaged as a PDF document (with a .pdf.exe extension), this is possible because default Windows setting hides extensions for known file types.

Once the payload is executed, it will copy itself (egолаСывЯыФЙ) to multiple folders and add a scheduled task to gain persistence. The task will launch one of its copies on system startup and every 11 minutes for the next 414 days. The banking Trojan will also inject itself into processes.

“This then hollows out Svchost, injects its malicious code, and launches it. It keeps launching more and more Svchost’s if you let it run. Each of these are typically responsible for a module of Trickbot.” continues the analysis.

Cofense report includes indicators of compromise (IOCs) for this malspam campaign.

Pierluigi Paganini

(SecurityAffairs – Trickbot, malware)

The post Malspam campaign bypasses secure email gateway using Google Docs appeared first on Security Affairs.

Security Affairs

Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you - we provide immediate support for all your needs!