by Noel Anthony Llimos and Michael Jhon Ofiaza (Threats Analysts)
We have been tracking Trickbot banking trojan activity and recently discovered a variant of the malware (detected by Trend Micro as TrojanSpy.Win32.TRICKBOT.TIGOCDC) from distributed spam emails that contain a Microsoft Word document with enabled macro. Once the document is clicked, it drops a heavily obfuscated JS file (JavaScript) that downloads Trickbot as its payload. This malware also checks for the number of running processes in the affected machine; if it detects that it’s in an environment with limited processes, the malware will not proceed with its routine as it assumes that it is running in a virtual environment.
Aside from its information theft capabilities, it also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware. Based on our telemetry, this Trickbot campaign has affected the United States the most. It has also distributed spam to China, Canada, and India.
Figure 1. Infection chain
In a sample email, the spam purports to be a subscription notification involving advertising providers, even telling the user that it submitted an application for a three-year subscription and settled a sum of money with the sender. The mail then explains that several more fees will be charged to the user’s card in the coming transactions. It ends by prompting the user to see the attached document for all the settlement and subscription information. The document in q ..
Support the originator by clicking the read the rest link below.
