Malspam campaign bypasses secure email gateway using Google Docs

Attackers are using Google Docs to deliver the TrickBot banking Trojan to unsuspecting victims via camouflaged as PDF documents.

Security experts at Cofense uncovered a malspam campaign the leverages Google Docs to deliver the TrickBot banking Trojan to unsuspecting victims via executables camouflaged as PDF documents.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors has continuously upgraded it by implementing new features. For example, in February Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.

Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.

Recently researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic webinjects in attacks aimed at U.S. mobile users.

“The Cofense Phishing Defense Center (PDC) has detected a phishing campaign that delivers Trickbot embedded in a Google Docs link.” reads the analysis published by Cofense. “The email attempts to lure curious users to click on the link: “Have you already received documentation I’ve directed you recently? I am sending them over again.” This is a legitimately generated email by Google Docs when a file is shared by one of its subscribers. Unknowingly, the recipient is directed to a document hosted on Google that contains a malicious URL.”

The Google Docs document shared with the targets containing a fake 404 error message and a link to the malicious payloads, by using this scheme the attackers successfully bypassed a  Proofpoint secure email gateway used by one of Cofense customers.

The spam messages include an “Open in Docs” button, once clicked the victims will be redirected to the Google Docs landing page containing the fake 404 error and are instructions to manually download the document.

The victims download the malicious payload camouflaged as a PDF document (with a .pdf.exe extension), this is possible because default Windows setting hides extensions for known file types.

Once the payload is executed, it will copy itself (egолаСывЯыФЙ) to multiple folders and add a scheduled task to gain persistence. The task will launch one of its copies on system startup and every 11 minutes for the next 414 days. The banking Trojan will also inject itself into processes.

“This then hollows out Svchost, injects its malicious code, and launches it. It keeps launching more and more Svchost’s if you let it run. Each of these are typically responsible for a module of Trickbot.” continues the analysis.

Cofense report includes indicators of compromise (IOCs) for this malspam campaign.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Trickbot, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]