The Google Docs online word processor is being used by attackers to disseminate TrickBot banking Trojan payloads to unsuspecting victims via executables camouflaged as PDF documents.
Phishing is used by attackers to deceive their targets into handing over sensitive information using social engineering techniques by redirecting them to fraudulent websites they control or to deliver malicious payloads via e-mails designed to look like they’re sent by someone they trust.
The phishing messages delivered via this malspam campaign use legitimate messages generated by sharing a Google Docs document with the targets, containing a fake 404 error message and a link to the malicious payloads.
TrickBot payloads delivered via Google Docs
By using legitimate Google Docs document sharing emails and landing pages, the attackers successfully bypassed a secure email gateway designed to monitor emails and block such attacks in their tracks as Cofense’s research team discovered.
The email attempts to lure curious users to click on the link: “Have you already received documentation I’ve directed you recently? I am sending them over again.” This is a legitimately generated email by Google Docs when a file is shared by one of its subscribers. Unknowingly, the recipient is directed to a document hosted on Google that contains a malicious URL.
To redirect the targets to the Google Docs landing page, the attackers have added an “Open in Docs” button within the phishing email. Once on the landing page, the targets see the fake 404 error and are asked to download the document manually.
Instead of the promised document, the victims download the malicious payload camouflaged as a PDF document with a .pdf.exe extension by taking advantage of the default Windows setting which hides extensions for known file types.
After being executed, the malware will copy itself to multiple folders and will gain persistence by adding a scheduled task that will launch one of its copies on system startup and every 11 minutes for the next 414 days.
The banking Trojan will also inject itself into svchost processes and it will keep “launching more and more Svchost’s if you let it run. Each of these are typically responsible for a module of Trickbot,” as Cofense found.
The Cofense Phishing Defense Center provides indicators of compromise (IOCs) for this phishing campaign at the end of their write-up, including malware sample hashes, URLs and IP addresses used in the attacks
Once the URL links to a file hosted on Google drive, it downloads a Review_Rep.19.PDF.exewhich has been disguised as PDF file. Many recipients will not see the .exe file extension. It’s something that you need to specifically enable in Windows. So, to them it looks like a legitimate PDF file since the attacker uses the icon for a PDF.
Frequently upgraded and highly active banking Trojan
TrickBot (also known as Trickster, TrickLoader, or TheTrick), the malicious payload distributed through this phishing campaign, is an ever-evolving banking Trojan with continuously upgraded with new modules and capabilities since October 2016 when it was discovered.
While in the beginning it only exfiltrated as much sensitive data as possible to its operators, it is now also become a popular malware dropper capable of infecting compromised machines with other malware strains like ransomware.
TrickBot is one of the most aggressive malware these days after replacing Emotet as the most actively distributed strain via malspam campaigns, with upgrades added to new versions spotted by security researchers on an almost weekly basis.