Spam Domains Imitating Popular Banks Spreading Trickbot Banking Trojan

Researchers at My Online Security and the SANS Internet Storm Center have analyzed spam campaigns utilizing plausible imitations of legitimate banking domains to spread the Trickbot banking malware.

Santander Bank customers should be aware of an effective spam campaign spreading the Trickbot banking Trojan that is coming from domains similar to those used by the financial institution.

Researchers at My Online Security and the SANS Institute’s Internet Storm Center say that Santander is not the only bank domain being leveraged, and call the malicious domains “extremely plausible imitations.”

A sample of the phony domains sending Trickbot includes:,,,,,,, and

All of the domains, the researchers say, were registered with GoDaddy. Some of them are down, but it’s unknown if GoDaddy took action.

“Almost all of these domains were registered through GoDaddy using various names or privacy services,” said Brad Duncan, a SANS ISC handler. “And these domains were implemented on servers using full email authentication and HTTPS.  Many recipients could easily be tricked into opening the associated attachments.”

One of the messages purporting to be from Santander arrives with a subject line “You have a Santander Secure Email,” and an attachement called “SecureDoc.html,” My Online Security said. The attachments are also sometimes Office documents that require the enablement of macros in order to view the content. The macro instead downloads Trickbot. The HTML files are a twist seen only in the last week, and they download Office documents from the attacker’s server using HTTPS to avoid scanning, Duncan said.

“HTML attachments to download Office documents, eh?  It’s not a new trick,” Duncan said. “But using this method, poorly managed Windows hosts (or Windows computers using a default configuration) are susceptible to infection.”

Trickbot is generally considered the successor to the Dyre (or Dyreza) banking malware. Recently, IBM’s X-Force research team along with researchers from Flashpoint spotted spam messages spreading Trickbot through the Necurs botnet. A customized redirection method was introduced in recent versions; Trickbot is known for carrying out man-in-the-browser attacks, using webinjects tailored for a number of banking institutions in an attempt to steal log-in credentials. Newer versions of Trickbot included webinjects for U.S.-based banks.

“They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment,” My Online Security said. “A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.” Researchers added that victims who prefer to bank via mobile phones or tablets are especially at risk given they often only see the a sender’s name in the form rather than the complete domain address.

One sample analyzed by the SANS ISC was disguised as coming from Santander and contained an HTML attachment that downloaded a Word document from the same server that sent the email. The Word document contains an image of a phony Santander login page with instructions on what to do if the victim cannot log in, which includes the enablement of macros through the “Enable Content” button.

Duncan said the Word document he analyzed makes an HTTP request to centromiosalud[.]es and a PNG image that is actually a Windows executable. Sometimes the malware is downloaded from the same domain, or cfigueras[.]com.

“A scheduled task was implemented to keep the malware persistent,” Duncan said. “The persistent malware was located in a folder named winapp under the user’s AppData\Roaming directory.”

SANS ISC published a number of indicators of compromise, while My Online Security urges users, especially those running older versions of Office to be wary of these emails, and to under no circumstances “Enable content,” or “Enable macros” in order to view content.

Suggested articles