Security Alert: New Variant of Trickbot Malware Returns, Spoofing the Financial Sector
Here’s how malicious actors try to trick users into clicking on malicious file
Trickbot, the banking Trojan that’s been around for a while, seems to be persistent and makes its appearance once again. And again, the banking sector continues to have their defences tested by these attacks.
Recently, security researchers discovered a new spam email campaign in which cybercriminals have decided to resort to spoofing Lloyds Bank.
In this recent spam campaign, malicious actors lure victims into clicking on a malicious word document (received via email) that pretends to come from the legitime Lloyd Bank’s website, but actually being delivered from a look-a-like site.
Please note that Lloyds Bank has not been hacked or had their systems compromised in any way that could affect their customers or partners. They were just a tempting target for malicious actors looking to extort money from financial institutions and get access to sensitive data.
The unwanted and fake email has the following details (sanitized for your own protection):
From: Lloyds Bank <secure @ lloyds-se [.] com>
Subject line: Lloyds Bank Secure Exchange: New Message Received
< This is a Lloyds Bank secure, encrypted message.
Open the attachment (message_zdm.html) and follow the instructions.
Get the mobile application.
Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE(tm) >
Here’s how the fake email looks like:
How the infection works
If someone is convinced to click on the malicious attachment received, it download this: https: // lloyds-dl [.]com /AccountDocuments [.] docx , and the user will actually be redirected to download an RTF file using Microsoft Equation Editor vulnerabilities.
Attackers exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) by trying to remotely control a victim’s computer from another server controlled by them. If the victim opens the malicious RTF file, it will release an arbitrary code that launches an executable file from the remote server.
Then, it will download the Trickbot binary from here: http : / /rsaustria [.] com/soperos [.] bin which is a renamed .exe file. The malicious actors use C:\Users\username\AppData\Roaming\freenet\ for the file, module & config locations, said the security researchers. More technical details can be found here.
According to VirusTotal, only 13 antivirus products out of 60 have managed to detect this spam email campaign at the time we write this security alert.
How to stay safe from Trickbot
Trickbot is known for its banking trojan features and the various phishing techniques used by cybercriminals to trick users’ to visiting websites from where they can steal their valuable credentials.
This is why we recommend you to do:
- Always have your operating system, and all your apps and other software programs, updated and not being exposed to risk by using out to date software.
- Once again, we urge you: Do NOT OPEN emails or click on suspicious files/attachments. Be very careful!
- Keep a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.). This guide shows you how to do it;
- Setting up a good, strong password is one of the best cybersecurity advice coming from security experts, and this security guide is really useful;
- Try to run software programs with non-administrative user accounts and disable macros in the Microsoft Office package;
- Make sure you have a reliable antivirus program installed on your computer to detect threats;
- It would be safer to add multiple layers of protection and use a proactive cyber security software;
- Prevention is the best cure, so learn as much as possible about how to easily detect spam emails. Check out these free educational resources and gain more knowledge in cybersecurity.