TrickBot Trojan Gets Trickier with ActiveX Control to Automatically Run Malicious Macros

The TrickBot Trojan is now even trickier now that a Windows 10 ActiveX control has been incorporated to automatically run malicious macros in email Office attachments. Several documents have been intercepted in the past few days that abuse the Windows 10 ActiveX control.

Malspam emails using this new delivery technique were intercepted by researchers at Morphisec Labs. The ActiveX control is used to execute an OSTAP JavaScript downloader, which serves as the dropper for TrickBot.

The user must first enable content after opening the Word file attachment, once that has happened the infection process begins and the TrickBot Trojan will be silently downloaded and executed.

The naming convention for the Word attachments is typically a random string of 7-9 digits. The intercepted documents contained an image to encourage users to enable content. In some of the intercepted documents, a blurred image of the text of the document was embedded, along with a message stating that the document was protected and the user needed to enable content in order to decrypt the file and display the contents.

The OSTAP JavaScript downloader is not visible in the document as it is in white text. While that means it is not viewable to the user, email security solutions that analyze Word attachments will be able to identify the downloader and should mark the file as malicious to prevent delivery to inboxes.

The researchers explain the ActiveX control uses the “MsRdpClient10NotSafeForScripting” class. Since the server field in the script is empty, it will produce an error message that is used by the attackers to execute their code. “The OSTAP will not execute unless the error number matches exactly to “disconnectReasonDNSLookupFailed” (260); the OSTAP wscript command is concatenated with a combination of characters that are dependent on the error number calculation,” explained Morphosec’s Michael Gorelik. The OSTAP is created in the form of a BAT file, which is then automatically executed, and the Word document form is then closed.

“The BAT will execute wscript back with its own content,” said Gorelik. “An old trick using comments that the BAT will disregard during the execution of wscript (non-recognized command) while skipped together with its content when executed by wscript (or any other interpreter that adheres to the comments syntax).”

The ActiveX control is used to target Windows 10 machines. It will not work on earlier Windows versions.

TrickBot is one of the most dangerous malware variants in use. It is regularly updated with new functions and new tricks are constantly being added to make the malspam emails and TrickBot harder to identify. In addition to stealing banking credentials, TrickBot has recently been updated to steal remote desktop credentials and passwords for OpenSSH and OpenVPN applications. In addition to being distributed in malspam campaigns as the primary payload, it is also delivered as a secondary payload by Emotet.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of