Palo Alto Networks' Unit 42 research team has recently observed a malicious campaign that has been abusing Google Suite cloud services to deliver TrickBot banking trojan to unsuspecting victims. The malicious payloads were distributed via phishing emails using such topics as payroll and annual bonuses.
TrickBot (aka TrickLoader, Trickster, and TheTrick) is a modular information stealer first spotted in the wild in 2016. The trojan’s modularity allows its operators to gain access to different functions and capabilities by retrieving additional modules from the command and control (C2) servers, including a worming function (i.e. copying itself to other devices), email inbox parser, and network reconnaissance.
The observed campaign’s phishing emails appeared to originate from individuals at .edu email addresses and were sent using SendGrid cloud-based email delivery platform in attempt to bypass email filters, as well as to obfuscate the links used throughout the infection chain.
"The body of the emails contained lure text consistent with the subject lines and links that utilized a SendGrid function called Click Tracking which sends a notification back to the sender of the email for tracking purposes," the researchers found.
The phishing emails included links pointing to the legitimate Google Docs document, which, in turn, contained links to a file hosted on Google Drive. This file is a downloader whose only purpose is to retrieve TrickBot payload and execute it on the victim’s machine.
Unit 42 identified two downloader variants with both of them signed by PERISMOUNT LIMITED and posing as Microsoft Word documents.
“Due to default settings in most Windows deployments of not displaying file extensions, these files will not appear as obvious executables to a victim,” the researchers wrote.
Once executed, the downloaders would display an "IMPORTANT" decoy pop-up asking the victims to update their Microsoft Word installation or to open the document on another computer. What’s interesting, regardless of the victim’s actions (whether they’ll push an “OK” button or choose to close the pop-up window), the file will still proceed with the download and installation of the TrickBot payload.
Once launched, the TrickBot trojan will load itself into memory using process hollowing after spawning a svchost.exe process to masquerade itself as a legitimate program and further attempt to evade detection. Then it will collect the basic system information and will attempt to communicate with its C2 to retrieve additional modules.
“In this campaign, due to the abuse of legitimate cloud services, the detection and prevention of the initial delivery may have been more challenging than if the adversaries had used their own infrastructure. However, having a policy, such as preventing unknown executable files to be downloaded or executed on the endpoint, may help prevent these attacks from succeeding against businesses,” Unit 42 concluded.