LTS Secure Warning: TrickBot Malware Being Distributed in New MalSpam Campaign Using Fake Emails From DoL

TrickBot, a highly sophisticated banking Trojan, is being delivery in a new malspam campaign. The campaign targets the email receivers with fake messages, pretending to be originating from the U.S. Department of Labor (DoL).The Family and Medical Leave Act (FMLA) is being used as a leverage here, which gives right to medical leave benefits to employees, as context around the COVID-19 situation, in order to distribute the malware.

 

Technical Details

The email contains an attached document called “Family and Medical Leave of Act 22.04.doc. Once the recipient opens the document, it asks them to enable the macros. When the file is closed, malicious scripts get executed, in order to download the malware from a designated domain decided by the attacker.

After the macros have been enabled, a file terop.bat is fetched & executed on the recipient machine. But things start going wrong from here, due to the attacker making use of cURL to fetch multiple files from a compromised domain. This step fails, due to the fact that cURL is not available by default on windows machine, causing the commands in the .bat file to fail.

This is causing researcher to assume that, attackers behind the campaign are still testing the deployment methods & procedures.

 

Impact

  • Collects user & system information.
  • Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.
  • Spreads through company network, further infecting other devices.
  • Upload & executing payloads on the infected machines (Ransomware, Cryptominers, worms, etc.).

 

Recommended Actions

  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mail-spam.
  • Disable macros while using MS Office.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.