TrickBot Malware doubtful winner in COVID-19 Phishing Campaigns

Like in recent Trickbot campaigns, if allowed to run, the macro uses CHOICE.EXE to wait 20 seconds before downloading the info-stealing payload. Trickbot campaigns are known to delay malicious activities to evade emulation or sandbox analysis, the Microsoft Threat Intelligence states in a Twitter threat.

In a blog early April, Microsoft’s VP FOR Microsoft 365 Security Rob Lefferts already said that Microsoft observed no less than 76 threat variants to date globally using COVID-19 themed lures. He identified Trickbot and Emotet malware families to be  very active and rebranding their lures to take advantage of the outbreak.
 

TrickBot evolving and comined with other malware

January this year, well before the Corona Crisis, SentinelOne investigated the the TrickBot cybercrime enterprise. TrickBot actively develops many of its offensive tools such as “PowerTrick” that are leveraged for stealthiness, persistence, and reconnaissance inside infected high-value targets such as financial institutions. Many of their offensive tools remain undetected for the most part as they are used for a short period of time for targeted post-exploitation purposes such as lateral movement.

While TrickBot started out as a banking Trojan that can steal data, the malware has been updated to work as a downloader that delivers other malicious code, such as ransomware, databreach today mentioned last week. Security analysts have also observed other campaigns where TrickBot is combined with other malware, such as Emotet and Ryuk.  ‘Rather than building their own attack tools, many criminals are continuing to use cybercrime platforms and services to make it easier to earn an illicit paycheck. Some gangs are also combining tools in an attempt to earn even more’

Other articles:

Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets

Spearphishing with the WHO trademark