Security researchers are warning of a resurgence of prolific Trojan malware Trickbot, which had its infrastructure disrupted by a Microsoft-led coalition late last year.
Menlo Security said it had observed a new malicious spam campaign designed to trick North American users in the legal and insurance sectors into downloading the Trojan.
Whereas weaponized email attachments were a common feature of previous Trickbot campaigns, this one encourages users to click on a phishing link, which redirects them to a compromised server.
After sending users along a redirection chain, they’re finally presented with a web page warning them that they've been found guilty of an unspecified “traffic infringement.”
A large download button encourages them to click through to view the photos of their alleged ‘negligent driving.’
“Clicking on the ‘Download Photo Proof’ button, downloads a zip archive with a malicious JavaScript file to the endpoint,” Menlo Security explained.
“The embedded JavaScript is heavily obfuscated, which has been a TTP typical of the Trickbot malware. If the user opens the downloaded JavaScript file, an HTTP request is made to the C&C server to download the final malicious binary.”
The initial URL and the C&C used in the campaign are both tracked on threat feed URLHaus as being associated with Trickbot, the researchers claimed. Worse, many of the URLs used in the attack aren’t yet being detected on VirusTotal, it said.
There were high hopes after Microsoft and other security vendors used a US court order to disable any IP addresses being used to host the bot, and “block any effort by the Trickbot operators to purchase or lease additional servers.”
However, without arrests of those behind a malicious campaign it is very hard to stop them reb ..
Support the originator by clicking the read the rest link below.
