Trickbot Trojan Back from the Dead in New Campaign

Security researchers are warning of a resurgence of prolific Trojan malware Trickbot, which had its infrastructure disrupted by a Microsoft-led coalition late last year.

Menlo Security said it had observed a new malicious spam campaign designed to trick North American users in the legal and insurance sectors into downloading the Trojan.

Whereas weaponized email attachments were a common feature of previous Trickbot campaigns, this one encourages users to click on a phishing link, which redirects them to a compromised server.

After sending users along a redirection chain, they’re finally presented with a web page warning them that they've been found guilty of an unspecified “traffic infringement.”

A large download button encourages them to click through to view the photos of their alleged  ‘negligent driving.’

“Clicking on the ‘Download Photo Proof’ button, downloads a zip archive with a malicious JavaScript file to the endpoint,” Menlo Security explained.

“The embedded JavaScript is heavily obfuscated, which has been a TTP typical of the Trickbot malware. If the user opens the downloaded JavaScript file, an HTTP request is made to the C&C server to download the final malicious binary.”

The initial URL and the C&C used in the campaign are both tracked on threat feed URLHaus as being associated with Trickbot, the researchers claimed. Worse, many of the URLs used in the attack aren’t yet being detected on VirusTotal, it said.

There were high hopes after Microsoft and other security vendors used a US court order to disable any IP addresses being used to host the bot, and “block any effort by the Trickbot operators to purchase or lease additional servers.”

However, without arrests of those behind a malicious campaign it is very hard to stop them rebuilding bot infrastructure elsewhere. It remains to be seen whether a similar law enforcement attempt to disrupt Emotet recently will be more successful.

“Where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot’s operations,” concluded Menlo Security.

“While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment.”

What’s Hot on Infosecurity Magazine?