Getty Images

TrickBot Spear-Phishing Campaign Deploys Malware for Remote Access

Area 1 Security observed a widespread spear-phishing campaign tied to the notorious TrickBot actors, used to deploy two stealthy malware variants and gain remote access to the victim’s network.

Area 1 Security detected a widespread spear-phishing campaign tied to the notorious TrickBot threat actors, which is targeting victims with fake termination emails in an effort to deploy malware payloads and gain remote access for further nefarious activities.

The phishing attacks leverage a range of lures that threaten users with job termination that appears designed to intimidate workforce members into clicking on a malicious URL contained in the emails.

The campaign messages are simply written and disguised as emails sent from a person of authority within the targeted company, meant to elicit fear from employees through either termination letters or customer complaints. 

The supposed termination-related documents are delivered via a malicious URL that, when clicked by the victim, directs the user to a Google Doc or Constant Contact. Researchers explained that by using a URL instead of an attached file, an attacker can bypass file scanning detections employed by email and security platforms.

The attackers are also commonly using cloud-based hosting services designed to circumvent URL scanning tactics, as well as to easily create new malicious links if their URLs are identified as phishing attacks.

“The Google Docs or Constant Contact link in the phishing email leads to a decoy preview page that prompts the victim to open a list of terminated employees,” researchers explained. “The decoy also cleverly displays the often seen ‘If download does not start, click here’. This link is where the malware is actually being hosted.”

The hacker can leverage a successful exploit and downloaded backdoor to remotely execute commands, exfiltrate sensitive information, and deploy other malicious payloads, such as a post-exploitation framework, like CobaltStrike, and ransomware attacks, like the Ryuk variant.

Researchers noted that in one instance of a Bazar infection, the attackers exploited a known vulnerability to escalate privileges and deploy a domain-wide ransomware attack, just five hours after the initial phishing message was sent.

Concernedly, this is just one of many negative outcomes that could result from the latest TrickBot phishing campaign.

Further, Area 1 noted that given the rise in remote work amid the COVID-19 crisis, the attack may appear more believable to employees.

“Targets of this campaign could potentially believe that the post-COVID shake up in their organizations is the reason they’re being let go,” researchers explained. “With many businesses closing down unusable office space, combined with an economic recession, there is enough plausibility for this wide-ranging phishing attack to fool employees into believing that their position may be part of the now all-too-common budget cuts.”

“With these Trickbot operations, threat actors have a litany of unique and ever-changing email accounts and IP addresses to execute their attacks,” they continued. “Despite... efforts to neutralize Trickbot controllers, the infrastructure used to support this particular campaign (if associated in any way) was hardly affected, and the attacker seems to have promptly resumed operations.”

The TrickBot variant began as a banking trojan and has previously been connected to the Ryuk ransomware variant -- a leading threat actor of the healthcare sector. In recent hacking efforts, Trickbot has been used to spread ransomware, which US Cyber Command and Microsoft attempted to disrupt in October.

Microsoft successfully took down 62 of the 69 global Trickbot servers; the remaining seven were unorthodox IoT devices. But security leaders warned those efforts would likely only stymie TrickBot controllers for a short period of time, as the threat actors leverage a decentralized infrastructure.

Shortly after these efforts, Area 1 Security detected the latest phishing campaign, which is designed to deploy Bazar and Buer payloads. These are newer, stealthier malware variants that can be used to deploy further malware attacks, including ransomware.

Further, there’s evidence that the malware leveraged in the campaign won’t continue if the victim is located in Russia, a common Trickbot tactic.

To prevent falling victim to this campaign, researchers stressed that use of machine learning or advanced algorithms could assist in detecting the tactics leveraged in these attacks and block the messages from reaching the inbox.

Advanced phishing attacks require organizations to adopt a preemptive security approach, rather than a post-delivery retraction to prevent the user from being exposed to the attack. 

Employees should be reminded to be on alert for messages they did not expect and when opening email links or attachments, directing suspicious emails to security leaders to verify the authenticity.

“The threat actors behind this campaign leveraged a number of sophisticated techniques to easily evade legacy vendors and cloud email providers,” researchers concluded. “Linking to legitimate, cloud-based sites within the phishing messages, combined with the use of takedown- and sinkhole-resistant EmerDNS TLDs, makes this a particularly difficult campaign for standard defenses to detect.”

Next Steps

Dig Deeper on Cybersecurity strategies