A new Trickbot variant has appeared on Trend Micro’s radar that uses a URL redirect in a spam email as a tactic to sidestep spam filters set to block the malware.
The spam email is well-constructed and legitimate appearing
with content that indicates a processed order is ready for shipping and
includes a shipping number and additional details to convince the recipient to
click on the link.
“In this particular case, the variant used Google to
redirect from the URL hxxps://google[.]dm:443/url?q=
malicious URL that the user is redirected to,” Trend Micro wrote.
Once the link is clicked the victim is taken to a page that
looks like an order review page. At this time a .zip file is downloaded
containing Visual Basic Script, which is the Trickbot downloader. Once
executed, Trickbot then goes to work.
In the past Trickbot has been seen with Excel files with malicious
macros and paired with fake payment notifications purportedly from banks.
To avoid Trickbot Trend Micro recommends:
- Be wary of telltale signs of spam such as
suspicious sender addresses and glaring grammatical errors. - Refrain from opening email attachments from
unverified sources. - Keep comprehensive logs of what happens within
the network, which allows IT personnel to track suspicious activities like
traffic from malicious URLs. - Monitor the network for potential threats, which
can help an organization to identify malicious activities that traditional
security solutions might not be able to detect.
Gloss