Thor Premium Image

It's finally possible to have total, next-gen security against ransomware, malware and other threats.

Discover Thor Premium Home
and take advantage of the one-time deal.

Buy now Only

200

licenses left!
CYBER SECURITY ENTHUSIAST

Trickbot, the banking Trojan that’s been around for a while, seems to be persistent and makes its appearance once again. And again, the banking sector continues to have their defences tested by these attacks.

Recently, security researchers discovered a new spam email campaign in which cybercriminals have decided to resort to spoofing Lloyds Bank. 

In this recent spam campaign, malicious actors lure victims into clicking on a malicious word document (received via email) that pretends to come from the legitime Lloyd Bank’s website, but actually being delivered from a look-a-like site.

Please note that Lloyds Bank has not been hacked or had their systems compromised in any way that could affect their customers or partners. They were just a tempting target for malicious actors looking to extort money from financial institutions and get access to sensitive data.

The unwanted and fake email has the following details (sanitized for your own protection):

From: Lloyds Bank <secure @ lloyds-se [.] com>

Subject line: Lloyds Bank Secure Exchange: New Message Received

Content:

< This is a Lloyds Bank secure, encrypted message.

Desktop Users:

Open the attachment (message_zdm.html) and follow the instructions.

Mobile Users:

Get the mobile application.

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Voltage IBE(tm) >

Here’s how the fake email looks like:

Source: MyOnlineSecurity.co.uk

How the infection works

If someone is convinced to click on the malicious attachment received, it download this: https: // lloyds-dl [.]com /AccountDocuments [.] docx , and the user will actually be redirected to download an RTF file using Microsoft Equation Editor vulnerabilities.

Attackers exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) by trying to remotely control a victim’s computer from another server controlled by them. If the victim opens the malicious RTF file, it will release an arbitrary code that launches an executable file from the remote server.

Then, it will download the Trickbot binary from here: http : / /rsaustria [.] com/soperos [.] bin which is a renamed .exe file. The malicious actors use C:\Users\username\AppData\Roaming\freenet\ for the file, module & config locations, said the security researchers. More technical details can be found here.

Heimdal Security proactively blocked these malicious domains, so all Heimdal PRO and Heimdal CORP users are protected.

According to VirusTotal, only 13 antivirus products out of 60 have managed to detect this spam email campaign at the time we write this security alert.

How to stay safe from Trickbot

Trickbot is known for its banking trojan features and the various phishing techniques used by cybercriminals to trick users’ to visiting websites from where they can steal their valuable credentials.

This is why we recommend you to do:

  • Always have your operating system, and all your apps and other software programs, updated and not being exposed to risk by using out to date software.
  • Once again, we urge you: Do NOT OPEN emails or click on suspicious files/attachments. Be very careful!
  • Keep a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.). This guide shows you how to do it;
  • Setting up a good, strong password is one of the best cybersecurity advice coming from security experts, and this security guide is really useful;
  • Try to run software programs with non-administrative user accounts and disable macros in the Microsoft Office package;
  • Make sure you have a reliable antivirus program installed on your computer to detect threats;
  • It would be safer to add multiple layers of protection and use a proactive cyber security software;
  • Prevention is the best cure, so learn as much as possible about how to easily detect spam emails. Check out these free educational resources and gain more knowledge in cybersecurity.
emotet trickbot internet worm
2017.08.08 INTERMEDIATE READ

Emotet and Trickbot Banking Trojans Acquire Internet Worm Capabilities

banking Trojan
2017.06.16 SLOW READ

How A Banking Trojan Does More Than Just Steal Your Money

Cybercriminals can attack you in numerous ways
2017.02.21 SLOW READ

How Every Cyber Attack Works – A Full List

Comments

Hi, Nice info!
For best antivirus softwares , have a look here.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
Thor Premium Image

It's finally possible to have total, next-gen security against ransomware, malware and other threats.

Discover Thor Premium Home
and take advantage of the one-time deal.

Buy now Only

200

licenses left!