U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malspam campaign bypasses secure email gateway using Google Docs

Attackers are using Google Docs to deliver the TrickBot banking Trojan to unsuspecting victims via camouflaged as PDF documents. Security experts at Cofense uncovered a malspam campaign the leverages Google Docs to deliver the TrickBot banking Trojan to unsuspecting victims via executables camouflaged as PDF documents. TrickBot is a popular banking Trojan that has been around […]

Google Docs malspam

Attackers are using Google Docs to deliver the TrickBot banking Trojan to unsuspecting victims via camouflaged as PDF documents.

Security experts at Cofense uncovered a malspam campaign the leverages Google Docs to deliver the TrickBot banking Trojan to unsuspecting victims via executables camouflaged as PDF documents.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors has continuously upgraded it by implementing new features. For example, in February Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.

Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.

Recently researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic webinjects in attacks aimed at U.S. mobile users.

“The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link.” reads the analysis published by Cofense. “The email attempts to lure curious users to click on the link: “Have you already received documentation I’ve directed you recently? I am sending them over again.” This is a legitimately generated email by Google Docs when a file is shared by one of its subscribers. Unknowingly, the recipient is directed to a document hosted on Google that contains a malicious URL.”

The Google Docs document shared with the targets containing a fake 404 error message and a link to the malicious payloads, by using this scheme the attackers successfully bypassed a  Proofpoint secure email gateway used by one of Cofense customers.

The spam messages include an “Open in Docs” button, once clicked the victims will be redirected to the Google Docs landing page containing the fake 404 error and are instructions to manually download the document.

Google Docs malspam

The victims download the malicious payload camouflaged as a PDF document (with a .pdf.exe extension), this is possible because default Windows setting hides extensions for known file types.

Once the payload is executed, it will copy itself (egолаСывЯыФЙ) to multiple folders and add a scheduled task to gain persistence. The task will launch one of its copies on system startup and every 11 minutes for the next 414 days. The banking Trojan will also inject itself into processes.

“This then hollows out Svchost, injects its malicious code, and launches it. It keeps launching more and more Svchost’s if you let it run. Each of these are typically responsible for a module of Trickbot.” continues the analysis.

Cofense report includes indicators of compromise (IOCs) for this malspam campaign.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Trickbot, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]