Published on : 11 July, 2018
Malware named Trickbot a variant of Dridex, distributed through email campaign is identified by AV vendor.
Trickbot is mainly known as an information stealer and malware downloader. It is known to capture information
from web browsers, such as cookies, and email credentials. It is detected by Talos on a new campaign that started on June 28, 2018.
The malicious email had the following characteristics:
Display name: "Sage Invoice"
From email address: Dorothy.Fraser@sageinvoice.co.uk
Originating IP address: 185.90.136.55
Subject Line: FW:Invoice
Attachment: Invoice.doc
Body:
“Hi there,
Payment not received.
King Regards,
Dorothy Fraser”
It displays the message when the word document is opened
“Document created in earlier version of Microsoft Office Word”
and prompts the user to enable macros. If macros are enabled by
the user, a VBA macro starts a malicious powershell script.
The first command attempts to disable monitoring.
It then writes an executable to the following path:
\Users\($User_name)\AppData\Local\Temp\tcveamlcr.exe
The executable appears to be downloaded from one of the following two URLs:
