Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Security Alert: New Variant of Trickbot Malware Returns, Spoofing the Banking Sector
#1
Quote:Trickbot, the banking Trojan that’s been around for a while, seems to be persistent and makes its appearance once again.

Recently, security researchers discovered a new spam email campaign in which cybercriminals have decided to target the large banking company, Lloyds Bank with a spoofing attack. 

In this recent spam campaign, malicious actors lure victims into clicking on a malicious word document (received via email) that pretends to come from the legitime Lloyd Bank’s website, but actually being delivered from a look-a-like site.

The unwanted email has the following details (sanitized for your own protection):

From: Lloyds Bank <secure @ lloyds-se [.] com>

Subject line: Lloyds Bank Secure Exchange: New Message Received

Content:

< This is a Lloyds Bank secure, encrypted message.

Desktop Users:

Open the attachment (message_zdm.html) and follow the instructions.

Mobile Users:

Get the mobile application.

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Voltage IBE™ >

Here’s how the fake email looks like:


[Image: Fake-Lloyds-Bank-mail.png]

How the infection works


If someone is convinced to click on the malicious attachment received, it download this: https: // lloyds-dl [.]com /AccountDocuments [.] docx , and the user will actually be redirected to download an RTF file using Microsoft Equation Editor vulnerabilities.

Attackers exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) by trying to remotely control a victim’s computer from another server controlled by them. If the victim opens the malicious RTF file, it will release an arbitrary code that launches an executable file from the remote server.

Then, it will download the Trickbot binary from here: http : / /rsaustria [.] com/soperos [.] bin which is a renamed .exe file. The malicious actors use C:\Users\username\AppData\Roaming\freenet\ for the file, module & config locations, said the security researchers. More technical details can be found here.

Heimdal Security proactively blocked these malicious domains, so all Heimdal PRO and Heimdal CORP users are protected.

According to VirusTotal, only 13 antivirus products out of 60 have managed to detect this spam email campaign at the time we write this security alert.

READ THE FULL ARTICLE:

HERE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Coyote: A multi-stage banking Trojan abusing the Squirrel installer mrtrout 0 703 02-13-2024 , 03:37 AM
Last Post: mrtrout
  Microsoft creates tool to scan MikroTik routers for TrickBot infections tarekma7 0 780 03-19-2022 , 02:35 PM
Last Post: tarekma7
  TrickBot now crashes researchers' browsers to block malware analysis mrtrout 0 759 01-26-2022 , 11:54 PM
Last Post: mrtrout
  Android malware BrazKing returns as a stealthier banking trojan mrtrout 0 560 11-19-2021 , 10:08 AM
Last Post: mrtrout
  FBI's Email System Hacked to Send Out Fake Cyber Security Alert to Thousands mrtrout 0 540 11-16-2021 , 05:20 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)