Cyber Security Advisory on Trickbot


Published on : 11 July, 2018

Malware named Trickbot a variant of Dridex, distributed through email campaign is identified by AV vendor. Trickbot is mainly known as an information stealer and malware downloader. It is known to capture information from web browsers, such as cookies, and email credentials. It is detected by Talos on a new campaign that started on June 28, 2018.

The malicious email had the following characteristics:

Display name: "Sage Invoice"
From email address:
Originating IP address:
Subject Line: FW:Invoice
Attachment: Invoice.doc
“Hi there,
Payment not received.
King Regards,
Dorothy Fraser”

It displays the message when the word document is opened “Document created in earlier version of Microsoft Office Word” and prompts the user to enable macros. If macros are enabled by the user, a VBA macro starts a malicious powershell script. The first command attempts to disable monitoring. It then writes an executable to the following path:


The executable appears to be downloaded from one of the following two URLs:

It is recommended that security analysts check for any outbound connections to the IP addresses and as it would be trivial for the threat actors to replace the domains embedded in the word document.


  3. 3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73
  5. f9bcc9b13c4138ae055d2c0f702b4ac4de46167c89d8f9b23aae6763d41f8262
  7. 96628e8aadd807d7c7a4d655caa7c9f66460ffa75191c742a1d8afad2dbefd52

Payload servers: