Trickbot also contains additional functionality that makes it highly effective as an information-stealing tool.
Traditionally, Trickbot tends to be downloaded by the Bartalex downloader trojan, which is itself dropped by a booby-trapped Microsoft Office document sent as an attachment to the lure. However, this campaign breaks with tradition by using links as an infection vector. The links abuse SendGrid, a popular email delivery platform, to improve the deliverability of the lure messages. Fortunately, SendGrid has been observed rapidly taking down and mitigating the detected malicious links.
Observed Information and Social Engineering
The current active campaign shares several social engineering tactics that implore a victim to fall for the lures:
- Lures using fear and curiosity prompt interaction with themes involving termination, meetings with lawyers, customer complaints, and payouts.
- The use of RE: in the subject line is meant to imply that it is a continuation of some previous conversation.
- The SendGrid infrastructure is used to leverage domain and link reputation. It is increasingly common to see mail delivery providers being abused for their reputation and obscuring of the link. This causes problems for users trained to examine a link before clicking since the click-tracking link used by SendGrid obscures the final destination. Further, the popularity of these services can condition users to no longer see these click-tracking services as a potential threat.
- The SendGrid links send the user to Google Docs which prompts the user to download a secure document. This continues the theme of abusing domain reputation and abuse of legitimate infrastructure.
- The end result is downloading an .exe file which, when detonated, attempts to install Trickbot.
Industries and Targets Observed
PhishLabs has observed multiple industries targeted by this attack. The attacker is leveraging some level of lure customization. This implies that targets were not chosen totally at random, but a focus on a particular organization or sector was not observed.
Handling Related Threats
Effectively defending against lures of this type requires effectively coaching end-users to PAUSE and ensure the email is, in fact, legitimate before interacting with it. While the social engineering tactics at play here are effective emotional triggers, a user who actually stops to consider the plausibility of the email will find that the lure does not actually make sense.
Training should focus on how to spot suspicious emails, how to report them through forwarding or a button, and why they should not click on suspicious links even with familiar domains.
The emails submitted by several of our clients contained three separate lures. Within the lures, the emails urge the victim to click a link to view a sensitive document, at which point they are prompted to download the Trickbot Banking Trojan.
Of note, the lures are being sent from unrelated domains, likely from compromised accounts. Of the examples shown, one comes from a car dealership and the other an educational institution. The excuse the threat actor provides to cover this piece of information is that they are an outsourced HR vendor.
Observed Subject Lines
The following subject lines have been observed so far. Within each, we have redacted the names of financial institutions whose customers are being targeted. Regardless of the variety in subject lines, the tactics and social engineering within the phishing lure email share the same characteristics (sensitive and important documentation).
- Re: Termination for Lorrie Onaga in [Redacted Organization Name]
- Re: Our meeting in [Redacted Organization Name] office
- RE: payout from [Redacted Organization Name] for [Redacted Individual Recipient]