Trickbot is Targeting the Legal Sector
Researchers at Menlo Security warn of an ongoing Trickbot campaign targeting the legal and insurance industries. Trickbot is a notorious remote access Trojan that was in the crosshairs of separate operations by US Cyber Command and Microsoft late last year. While these operations crippled the malware’s botnet ahead of the US elections, they weren’t expected to deal the malware permanent damage. Menlo Security says this new campaign is a sign that Trickbot’s operators are back on their feet.
“This ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America,” the researchers write. “The initial vector appears to be an email, which includes a link to a URL. While in the past Trickbot has used weaponized documents, the infection mechanism detailed in this campaign seems to be a new modus operandi used by this group.”
The attackers are using emails with a link to a phishing page that informs the user that they’ve committed a traffic violation (“negligent driving” in the example shared by the researchers). The page has a button for the user to “Download PHOTO PROOF,” and instructs the user to download their documentation. Clicking this button will download a zip archive that will result in the installation of Trickbot. Menlo Security notes that, “At the time of writing this blog, some of the URLs identified in this campaign have very little to no detection on [VirusTotal].”
“Where there’s a will, there’s a way,” the researchers conclude. “That proverb certainly holds true for the bad actors behind trickbot’s operations. While Microsoft and it’s partners’ actions were commendable and trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment.”
You may think that the crook’s screamer “PHOTO PROOF” would tip anyone off, sadly, it can work, especially on the unfamiliar. New-school security awareness training can help your employees recognize both familiar and novel forms of social engineering.