December 11, 2019 By David Bisson 2 min read

A phishing campaign is using payroll-themed emails to trick users into inadvertently infecting their machines with TrickBot.

At the beginning of November, Palo Alto Networks’ Unit 42 research team identified a phishing campaign sending out attack emails whose subject lines referred to payroll and annual bonuses. These emails didn’t arrive with an attachment. Instead, they included links to what appeared to be a Google Docs document. That file, in turn, contained links to malicious files hosted on Google Drive that acted as simple downloaders of TrickBot. Upon execution, the malware established persistence on the infected machine by creating a scheduled task that ran at user login.

As noted by Unit 42, this phishing campaign was unique in that malicious actors used SendGrid, a legitimate email delivery service (EDS), to send out the initial attack emails. They had also used SendGrid to conceal the malicious Google Drive links contained in the Google Docs document.

A Busy Year for TrickBot

TrickBot has certainly been up to some tricks this year. Back in April 2019, for instance, Cybereason observed attackers using the malware in tandem with the Emotet Trojan to deliver samples of the Ryuk ransomware family. That was just a few months before researchers at Deep Instinct discovered TrickBooster, a module that lets TrickBot harvest email credentials and contacts from its victims for the purpose of abusing their inboxes to send out malspam. In August 2019, IBM X-Force confirmed that it had come across a fileless version of TrickBot that did not save its typical modules and configurations to disk on infected Windows machines.

How to Defend Against Malicious Email Campaigns

Security professionals can help defend their organizations against phishing campaigns such as the one described above by using ahead-of-threat detection to monitor for suspicious domains before they become active in a malspam operation. Teams should also leverage artificial intelligence (AI)-powered solutions to help defend against TrickBot and other constantly evolving threats.

More from

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes.After the Log4Shell vulnerability, securing open-source software became a top priority for the federal government.…

How cyber criminals are compromising AI software supply chains

3 min read - With the adoption of artificial intelligence (AI) soaring across industries and use cases, preventing AI-driven software supply chain attacks has never been more important.Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponizing code in open-source repositories like Hugging Face and GitHub. The group, claiming to be a hacktivist organization motivated by an anti-AI cause, specifically targets these resources to poison data sets used in AI model training.No matter whether you use…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today