Hat Trick: Office Macros, VBS and CVEs highlight TrickBot’s June Debut

Share Now

Facebook
Twitter
LinkedIn

Microsoft 365

Mimecast

Cisco Email Security

Symantec

ProofpointBy Zachary Bailey and Alex Geoghagan, Cofense Phishing Defense Center

TrickBot is a notorious banking trojan that was commonly seen in the last couple of years in tandem with Emotet and Ryuk, and was dubbed a “triple threat” by various security researchers. However, TrickBot is now looking to score a hat trick on SEGs (secure email gateways) by utilizing three new components in its infection chain. This campaign delivers DOCX files that exploit the CVE-2017-0199 vulnerability. Employees are advised to never enable macros when they open Office documents, but this CVE leverages an embedded link that will immediately call out to a DOT payload, bypassing normal security checks. This new file includes a VBS script that will download the final executable.

This threat was first spotted by the Cofense Phishing Defense Center (PDC) in early June, targeting companies in the retail, building materials, manufacturing, insurance and construction industries. Primarily customers using the Microsoft 365 SEGs were affected by this campaign, although other customers implementing Microsoft 365 alongside additional SEGs were also impacted. Both infection URLs in the campaign reference Microsoft 365: “micrsoft365[.]live” and “mcsoft365[.]club”. Utilizing high-profile domains like these for a single campaign suggests a strong focus on the Microsoft SEG.

Inserting image...

Figure 1: Email body

In Figure 1, we see that the email template used in this campaign references a W9 form in the subject, but the Word document is named “invoice.” It also gives a random number in the subject as a quote number. The remainder of the message is concise and to the point, concluding with a signature related to the owner of the compromised email.

Figure 2: DOCX template

The Microsoft Word document in Figure 2 takes a different approach from what the Cofense PDC usually analyzes. Microsoft has enforced that Office macros users enable editing so, naturally, the document will have a large banner image walking the user through the steps to disable macros protection. During preview, the user will see a legitimate-looking finance agreement and not the usual templates that raise red flags. However, the “ERR121” message appended to the bottom is interesting because macros do not need to be enabled in the first place to launch CVE-2017-0199.

Figure 3: DOT template

When Microsoft Word downloads a file as an OLE object, in the case of CVE-2017-0199, it is automatically launched. The DOT template seen in Figure 3 is blank, unlike the initial DOCX file. This file does not need a template because the user does not see it, as the prior exploitation opens and closes the file. From here, the Office Macro will create a folder “DocumentsAdobe Help Center” and copy a VBS script over to it. The VBS script will then be launched using Wscript.exe.

Figure 4: Office macros

Most Office macro infections begin with the Auto_Open() function, but this sample utilizes a function that is called when the document is closed. When that occurs, it launches a WScript shell with self-contained VBS code. The document macros also create a new folder called “Adobe Help Center” and place several files in it, including the “HelpCenterUpdater.vbs”.