Cofense Intelligence™ recently identified a TrickBot campaign that was noteworthy not for its exceptional guile or novel technique, but rather for its lack thereof. Absent any images or convincing textual narrative, the campaign lacks all the hallmarks of this TrickBot distribution group’s modus operandi.
Typically, TrickBot distributors go to great lengths to ensure their social engineering content is as believable as possible. They do so by structuring emails in a way that closely resembles the wording and branding images of the financial institution they are imitating. Figures 1 and 2 depict the differences between the old and new message structure.
Figure 1:- Example of an HMRC-imitating campaign, including legitimate domains and images
Figure 2: Example Barclays phish, initiated by the same group, which lacks the visual and textual astuteness seen with the group’s other campaigns
These Barclays messages contain both plaintext and HTML mime-parts, which are displayed in a near-identical fashion. Figure 3 details the source of the Barclay’s phish.
Figure 3: The source of the Barclays phish message body; note the use of DKIM and the overall well-structured header
DKIM is used to give credence to the message, by ensuring the message has not been tampered with en route and ensuring the message originated from the sending domain. Or, more accurately, that the sender has control of the purported sending domain’s DNS. The DKIM inclusion could lead inexperienced analysts to believe that the message is legitimate because it uses PKI. But, of course, this is not the case. DKIM relies upon DNS to distribute the public key, while the private key is generated by the sending server. Authentication or identification is not part of the deal.
Additionally, the message body contains inconsistent structures and formatting, sparse language, and excessive punctuation. All these inclusions run utterly counter to the standards observed from this group.
Why the New Look?
Cofense Intelligence assesses there are multiple possible explanations for this anomalous TrickBot lure:
- The campaign was undergoing early-stage deliverability testing and was mistakenly or prematurely released to the target distribution group.
- The campaign was subject to an automated template generator, which failed.
- The campaign was styled this way deliberately to test the effectiveness of a new type of simple lure designed to reach a broad target audience.
Based on our understanding of the group we believe to be behind this campaign, the most likely reason for this deviation is the result of a mistake during either the testing or distribution phase. Based on several other campaigns we have analyzed and assessed with high confidence to be tied to the same group, they seldom make so much as a grammatical mistake. This new “simple” type of phishing lure appears to fall well outside of their standard tactics, techniques, and procedures (TTPs).
However, it is still possible that this campaign was drafted this way deliberately to test the effectiveness of a new lure. Though the messages are very general and the inclusion of multiple languages appears odd, the messages include a well-structured header and properly set up DKIM. While less likely than the other hypotheses due to the message body flaws, the inconsistencies in the language sections, and known author TTPs, it is certainly feasible this was an attempt to bypass gateways that may have rulesets searching for specific content.
Despite the potential that this campaign was a misfire, it was still functional enough to serve its malicious content. Furthermore, the multi-language inclusion reaffirms the global targeting. Given the lack of legitimate images and content wrapping the malicious URL, it is possible that this campaign was intended to sacrifice credibility in to bypass gateways. Regardless of the reason for this unusual campaign, it remains more likely to reach its targets’ inboxes and your last line of defense.
Ultimately, threat actors are always working to determine what will effectively get their email to your user inboxes. And their attempts at crafting a new style of lure may not always look the way we have trained ourselves to expect. Training users to recognize both high and low-imitation cases is critical to producing well-rounded, security-centric staff.
To stay on top of the latest phishing and malware threats, sign up for free Cofense™ Threat Alerts.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.