TrickBot Returns with a New Malspam Campaign

A botnet that was severely disrupted in late 2020 by a coalition led by Microsoft is now back with a new malspam campaign. The infrastructure used by the operators of the TrickBot botnet was taken down in the run up to the November 2020 U.S. Presidential election, but it didn’t take long for the infrastructure to be rebuilt. The takedown was successful and caused major disruption to the operation, but since no arrests were made, the gang was free to rebuild its infrastructure.

Researchers at Menlo Security recently identified a new malspam campaign that targets the legal and insurance sectors in North America and attempts to trick workers in those sectors into downloading a zip file that contains a malicious JavaScript file that delivers the TrickBot Trojan.

Prior to the takedown, the botnet was used to distribute the TrickBot banking Trojan using malicious attachments with macros that downloaded and executed the banking Trojan. The TrickBot gang can also worked with the operators of the Emotet botnet to deliver their Trojan, although that distribution method has now come to an end with the coordinated takedown of the Emotet infrastructure last week in a global law enforcement operation led by Europol. Now that Emotet is out of action, the TrickBot gang is likely to be conducting more of its own spamming campaigns spreading the malware.

Just as the TrickBot gang joined forces with Emotet, the operators of TrickBot previously paired up with the Ryuk ransomware gang. Once they had performed their malicious actions, access to the compromised computers was provided to Ryuk and ransomware was deployed.

If users click the link in the emails in the latest campaign they sent through a series of redirects before landing on a page where they are informed that they have been caught on camera in a traffic infringement involving negligent driving. They are informed that a copy of the proof will be sent via mail to their address, but a “download photo proof” button is displayed that allows them to check the evidence.

The downloaded zip file is heavily obfuscated. If the JavaScript file is run, a connection is made to the command-and-control server and the TrickBot binary is downloaded and executed.

Menlo Security researchers explained that two of the URLs used to download the malicious payload have previously been associated with the TrickBot gang; however, several URLs are being used in this campaign which so far have poor detection on VirusTotal, making it likely – at least initially – that the threat will not be detected and blocked.

It remains to be seen whether the attempt to take down Emotet proves to be just as short lived, although in the case of Emotet, several arrests were made as part of the operation, so it is hoped that Emotet operation was more comprehensively disrupted.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of