Security Alert: New Spam Campaign Delivers Trickbot Payload, Spoofs Dropbox
Here’s how malicious actors try to compromise users’ machines
You may remember Trickbot, the financial Trojan that made its appearance in the past targeting a lot of US banking companies, including big names like PayPal. Authors of Trickbot are persistent and continue to find new ways to harvest users’ valuable data. Recently, researchers discovered this spam email campaign in which malicious actors have decided to resort to spoofing Dropbox.
Security researchers analyzed a new spam email campaign delivering the Trickbot malware that claims to come from the legitime Dropbox website but actually coming from a look-a-like site.
The unwanted email is delivered with the following details (sanitized for your own protection):
From: Dropbox <no-reply @ dropboxsec [.] Com>
A new document is available for download
Your company administrator has uploaded a secure document for you or your company.
Your ID: [email adress]
Your unique download key: 6M4V74YEVMDHGR
This string of letters and numbers is a unique ID for the document you received.
To view or print the document please click here [link til dropboxsec[.]com]
The document associated with this unique ID opens. You can now sign, download and save, print, and perform “More” actions on the document, depending on the permissions the sender has given you.
Please contact your administrator for more information.
– The Dropbox Team>
How the infection happens
If a user is being lured into clicking on the malicious link, then a specially crafted and harmful document is delivered, via the following URL that could look like this one:
https: [//] dropboxsec [.] net / 6M4V74YEVMDHGR. doc
If the macro code in the malicious Word document is enabled by an invisible recipient, Trickbot will be retrieved from the following URLs (sanitized for your own safety)
http: // techknowlogix [.] net / farestod.png
Http: // pcstore.com [.] ve / farestod.png
This TrickBot variant is linked to the main bot that has the id (given group tag) “tt0002”, and the version number 1000147. It comes with several modules, including configuration files in an encrypted form.
With the help of a COM server, it creates a “task” that can execute the Trickbot payload after a restart of the machine via “AppData \ Roaming \% client_id%”.
Trickbot uses the API “GetNativeSystemInfo” or “wProcessorArchitecture” as it uses to determine whether it is 32-bit or 64-bit environment / CPU.
Here’s how the configuration file showing the previously mentioned C&C servers is displayed. These servers are used by malicious actors to maintain communications with compromised systems:
<Ver> 1000000 </ ver>
<Gtag> tt0002 </ gtag>
[C & C: [port]] </ Servs>
<module name = “systeminfo” ctl = “GetSystemInfo” />
According to VirusTotal, only 17 antivirus products out of 56 have managed to detect this spam email campaign at the time we write this security alert.
How to stay safe from banking trojans
Trickbot is known for its banking trojan features and the various ways used by cyber criminals to steal users’ personal information and harvest their sensitive data.
We recommend you:
- Always have your operating system, and all your apps and other software programs, updated because it’s the first place where malicious actors look to exploit flaws.
- Once again, we urge you: don’t open emails or click on suspicious files/attachments;
- Keep a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. This guide shows you how to learn how to do it;
- Setting up a good, strong password is one of the best cybersecurity advice coming from security experts, and this security guide comes in handy;
- Try to run software programs with non-administrative user accounts and remember to disable macros in the Microsoft Office package;
- Make sure you have a reliable antivirus program installed on your PC to protect your valuable data from online threats;
- It would be safer to add multiple layers of protection and use a proactive cyber security software;
- Prevention is the best cure, so you should learn as much as possible about how to easily detect spam emails. These free educational resources might help you gain more knowledge in the cybersecurity landscape.
*This article features cyber intelligence provided by CSIS Security Group researchers.