Google Docs Phishing Campaign Bypasses Email Security Solutions to Deliver TrickBot Trojan

A phishing campaign has been detected that uses Google Docs to bypass email security solutions and ensure the emails are delivered to end users’ inboxes.

The campaign was detected by security researchers at Cofense, who found the emails were bypassing Proofpoint’s email security gateway solution and were not identified as malicious.

The scammers use a legitimate Google account to send emails that link to a document on Google Docs. The email claims to include documentation that has previously been shared but is being resent as no response has been received. The emails include a button to click to view the document in Google Docs.

If a user clicks on the link it will direct them to the landing page where a fake 404 error message is displayed. The user is then given the option to download the document manually. A link to docs.google.com is supplied for the user to click to download the document.

The user will be expecting a Word document (.doc) file, but what appears to be a PDF file is downloaded. The file has a double extension and is actually an executable (.exe) file. On most Windows devices, the true extension is hidden as Windows does not display the extension of known file types. The user will see ‘filename.pdf’ instead of ‘filename.pdf.exe.’

The file has the typical PDF icon, so users are unlikely to notice that the file is not a PDF. The file will only appear as an executable if the user has configured Windows to display known file extensions. By default, known file extensions are hidden.

When the user opens the file, the TrickBot banking Trojan will saved to the C:\ProgramData\ folder and the \AppData\Roaming\speedLan\ folder. The latter is launched by a scheduled task that is created on the infected device.

According to Cofense, the scheduled task will check to see if TrickBot is running in the memory every 11 minutes and, if not, will relaunch the binary. The check is scheduled to be performed every 11 minutes for the following 414 days.

The Trojan is hidden in an svchost.exe process. A separate scvhost.exe process is launched for each of the modules in the malware. This ensures that any user checking Task Manager will not see the Trojan running.

TrickBot has been around since 2016 and has become one of the most commonly used banking Trojans. The malware is capable of stealing banking credentials and other sensitive information and new modules are frequently added. TrickBot also serves as a downloader of other malware variants and has previously been used to deliver ransomware and other Trojans.

The malware is primarily delivered via phishing emails. The lures and techniques used to fool end users into installing the malware are constantly changing and new variants of the Trojan are released frequently to evade detection by security solutions.

Author: NetSec Editor