{"id":6268,"date":"2021-04-28T09:52:51","date_gmt":"2021-04-28T16:52:51","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6268"},"modified":"2024-04-26T13:20:44","modified_gmt":"2024-04-26T20:20:44","slug":"post-takedown-trickbot-activity","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/post-takedown-trickbot-activity\/","title":{"rendered":"Post-Takedown Trickbot Activity"},"content":{"rendered":"

Author: Nathan Toporek<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

On 25 April, Infoblox observed a phishing campaign that used a DocuSign lure and a malicious file attachment to infect victims with the Trickbot banking trojan. Although Microsoft and other organizations disrupted the Trickbot botnet in October 2020,1<\/sup> multiple sources have seen activity from the botnet since then.2<\/sup><\/p>\n

We have published several reports on Trickbot, including a Malicious Activity Report (MAR)3<\/sup> and Cyber Campaign Briefs (CCBs).4<\/sup>,<\/sup>5<\/sup><\/p>\n

Customer Impact<\/h3>\n

Trickbot was first discovered in 2016 and has since grown in popularity.6<\/sup>,<\/sup>7<\/sup>,<\/sup>8<\/sup> Trickbot infects victims, steals sensitive financial information and exfiltrates it to its command and control (C&C) server. It can also move laterally within a network by brute-forcing Remote Desktop Protocol (RDP) credentials.<\/p>\n

Threat actors favor Trickbot due to its modular nature, which facilitates customization and provides attackers the capability to drop additional malware on infected systems.<\/p>\n

Campaign Analysis<\/h3>\n

In this campaign, threat actors sent emails with a subject line of “Please Docusign.” and a malicious Microsoft Excel Spreadsheet file attachment. Messages prompted the victim to open the file attachment to start the signing process.<\/p>\n

Attack Chain<\/h3>\n

When the victim opens the file attachment, it presents an image claiming the document is encrypted and that they must enable content to decrypt it. Notably, this image contains the McAfee logo, which may increase the likelihood that the victim will trust the document and enable malicious content.<\/p>\n

Once enabled, macros will download and run the Trickbot executable file, infecting the victim.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

This campaign relies on social engineering tactics to lure victims into opening a malicious file attachment and executing its macros. As such, Infoblox recommends taking the following precautions to reduce the likelihood of such an attack succeeding:<\/p>\n