Trickbot Watch: Arrival via Redirection URL in Spam

Trickbot Watch: Arrival via Redirection URL in Spam

by Miguel Ang (Threats Analyst)


We discovered a variant of the Trickbot banking trojan (detected by Trend Micro as TrojanSpy.Win32.TRICKBOT.THDEAI) using a redirection URL in a spam email. In this particular case, the variant used Google to redirect from the URL hxxps://google[.]dm:443/url?q=, whereby the URL in the query string, url?q=, is the malicious URL that the user is redirected to. The redirection URL is a way to sidestep spam filters that may block Trickbot at the onset.


At first glance, the spam email could pass as legitimate, ..