Hackers pushing the TrickBot banking trojan are exploiting tax season by pushing malicious Microsoft Excel spreadsheet documents via spam campaigns.
Researchers said that they discovered the malware in three different campaigns since Jan. 27, 2019. These campaigns target victims with emails pretending to be from large accounting, tax and payroll services firms – including ADP and Paychex. However, in reality the messages were carrying malicious Microsoft Excel attachments that eventually download and execute TrickBot trojan.
“Once TrickBot is installed on a potentially vulnerable device and can reach other devices on the network, it can further spread and pivot,” researchers with IBM X-Force warned in a Monday analysis. “Finding only one unaware person in an organization is usually enough for attackers to get their foot in the door.”
Once downloaded, TrickBot steals “as much data possible,” researchers said – including banking credentials and more.
“The average user will probably not notice any infections by TrickBot directly. Network admins, however, may eventually see changes in traffic or attempts to connect to blacklisted IPs and domains when the malware tries to connect to its command-and-control (C&C) servers,” researchers said.
The TrickBot financial malware was first identified in 2016. Several recent campaigns demonstrate its fast paced evolution by those behind its development. Researchers note the malware’s new code-injection techniques, updated info-stealing module and a customized redirection method.
Three Related Campaigns
Recent campaigns purport to be emails from Paychex and HR management and services firm ADP. In March, ADP alerted customers of phishing campaigns associated with its brand. However, researchers spotted spam campaigns pushing the same TrickBot malware extending as far back as Jan. 27, 2019, from an unnamed “large accounting firm.” A subsequent campaign spoofing ADP was spotted March 3, while yet another campaign spoofing Paychex was discovered March 7.
Researchers said that the mail styles, behavior of the malicious attachments and the construct of the subsequent malware URLs was the same for all campaigns, which is a “strong indicator” that the same actors were behind all three.
While the number and type of intended targets is difficult to assess, “the size of the spoofed firms suggests the criminals are likely to have some success in snagging individual users and businesses that are customers of these well-known companies,” researchers said. Furthermore, all email samples are written in English, building onto evidence that targets were U.S.-based, they said.
The bad actors behind the campaign used spoofed addresses in the “from” fields of the messages, via typosquatting, which slightly misspells an address so it looks like it comes from a real domain – but in reality the domain is fake.
The messages tout an attached tax or billing record, with subject lines including the words “tax” and often beginning with FW: or RE: to further trick the victims. As a further trick the messages also contained mimicked business signatures.
For instance, one email purporting to be from ADP was titled “FW: CASE #90ADP28TEFT – tax billing records.” The body of the message read: “Hi there, I have attached tax billing records for current period.”
The messages contained malicious Excel documents with an embedded macro. Once downloaded, the dropped files call a range of IP addresses for the payload, which eventually fetches and executes the TrickBot malware.
When victims’ systems are infected with the malware, “the cybercriminals operating it have complete control and can do just about anything they wish on your device, including spreading to other computers on your network and emptying your company’s bank accounts, potentially costing millions of dollars,” researchers said.
Researchers warn users should be wary of tax-related unsolicited emails. Beyond that, they can make sure macros are disabled by default in Office documents, block all URL and IP-based IoCs at firewalls and keep all critical and noncritical systems up to date and patched, researchers said.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.