The Trickbot Trojan is being distributed via a new fake Office 365 phishing website. The website is virtually identical to official Microsoft Office 365 site, complete with a realistic looking URL – get-office365[.]live. Nothing appears untoward on the site. Even all the URLs point to webpages on Microsoft domains.
However, a few seconds after landing on the site a popup warning will appear from either the Chrome Update Center or the Firefox Update Center.
The popups warn that the user’s browser is out of date and an update is necessary to prevent browsing errors, loss of personal data, and incorrect site mapping. If the user clicks on update, a malicious executable named upd365_58v01.exe will be downloaded, which will install the Trickbot Trojan.
Trickbot is likely to be installed undetected. Trickbot inserts itself into a svchost.exe process, so even if the user opens Task Manager, they will not see the malicious process running.
Once installed, Trickbot establishes a connection with its C2 server and begins sending information about the victim’s computer and running services. Trickbot also launches a password grabbing module, which will search for all stored passwords on the device and will also exfiltrate the browsing history and autofill form information.
The campaign and malicious website were detected by MalwareHunterTeam and the malicious site is now blocked by most website security solutions.