Trickbot variant using fake shipping info in the wild

A new Trickbot variant has appeared on Trend Micro’s radar that uses a URL redirect in a spam email as a tactic to sidestep spam filters set to block the malware.

The spam email is well-constructed and legitimate appearing with content that indicates a processed order is ready for shipping and includes a shipping number and additional details to convince the recipient to click on the link.

“In this particular case, the variant used Google to redirect from the URL hxxps://google[.]dm:443/url?q=<trickbot downloader>, whereby the URL in the query string, url?q=<url>, is the malicious URL that the user is redirected to,” Trend Micro wrote.

Once the link is clicked the victim is taken to a page that looks like an order review page. At this time a .zip file is downloaded containing Visual Basic Script, which is the Trickbot downloader. Once executed, Trickbot then goes to work.

In the past Trickbot has been seen with Excel files with malicious macros and paired with fake payment notifications purportedly from banks.

To avoid Trickbot Trend Micro recommends:

  • Be wary of telltale signs of spam such as suspicious sender addresses and glaring grammatical errors.
  • Refrain from opening email attachments from unverified sources.
  • Keep comprehensive logs of what happens within the network, which allows IT personnel to track suspicious activities like traffic from malicious URLs.
  • Monitor the network for potential threats, which can help an organization to identify malicious activities that traditional security solutions might not be able to detect.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.