Published on : 11 July, 2018
Malware named Trickbot a variant of Dridex, distributed through email campaign is identified by AV vendor. Trickbot is mainly known as an information stealer and malware downloader. It is known to capture information from web browsers, such as cookies, and email credentials. It is detected by Talos on a new campaign that started on June 28, 2018.
The malicious email had the following characteristics:
Display name: "Sage Invoice"
From email address: Dorothy.Fraser@sageinvoice.co.uk
Originating IP address: 18.104.22.168
Subject Line: FW:Invoice
Payment not received.
It displays the message when the word document is opened “Document created in earlier version of Microsoft Office Word” and prompts the user to enable macros. If macros are enabled by the user, a VBA macro starts a malicious powershell script. The first command attempts to disable monitoring. It then writes an executable to the following path:
The executable appears to be downloaded from one of the following two URLs: