New Trickbot Variant Uses URL Redirection to Spread

New Trickbot Variant Uses URL Redirection to Spread
Switch in tactic is the latest attempt by operators of the prolific banking Trojan to slip past detection mechanisms.

The authors of the Trickbot banking Trojan have once again begun using URL redirection instead of malicious email attachments to spread their malware. It is the latest example of how cybercriminals constantly evolve — and sometimes recycle — their tactics to stay ahead of defenders.


Security researchers from Trend Micro on Monday said they had recently discovered a new variant of Trickbot arriving via redirection URL in a spam mail message. The URL appears to point toward a Google domain but instead redirects users who click on it to a site that downloads Trickbot on the user's system.


The content of the spam email purports to be about a processed order that is ready for shipping, Trend Micro said. The email contains what appears to be a tracking number for the package, standard delivery disclaimers, contact details of the purported sender, and even social media icons for lending additional authenticity to the email.


If a user gets tricked into clicking on the embedded URL in the email, the user is routed to a Trickbot download site that is designed to appear like a Web page for reviewing online orders.


The site downloads a compressed file that contains a Visual Basic Script for downloading Trickbot. Once the malware is executed on the system, it quickly deploys additional modules for various tasks, such as stealing browser data, injecting malicious code into browsers for monitoring online banking activity, searching through files on the infected machine, and profiling the network.


"Utilizing a URL redirection from a known domain is a tactic used by other bad actors to fool unsuspecting victims into thinking the embedded URL with ..