TrickBot Trojan Now Using URL Redirects to Fool End Users and Cybersecurity Solutions

The Trickbot banking Trojan is one of the biggest cyber threats faced by businesses. Trickbot is primarily a banking Trojan that is used to obtain login credentials to online bank accounts. The malware can also steal from Bitcoin wallets and harvest email credentials and steal other sensitive data. The malware is one of the most active banking Trojans in use, second only to Emotet.

The malware is primarily distributed via spam and phishing emails, which usually include attachments with malicious macros that download the Trickbot payload. Campaigns have also been conducted using malicious URLs which, if clicked, direct the user to a website where the malware is downloaded. Trickbot is also delivered by other malware variants such as Emotet.

Recently, the threat actors behind the malware have started using a new tactic to increase infection rates. Phishing emails contain URLs which appear to be legitimate links to Google domains; however, when the embedded links are clicked, the user is redirected to a malicious website where the Trickbot payload is downloaded.

Security researchers at Trend Micro identified a new variant of Trickbot being distributed in phishing emails using this new tactic. The emails intercepted by Trend Micro claimed that an order had been processed and a package was ready to be shipped.  The emails contained a package tracking number, standard delivery disclaimers, the sender’s contact details, and realistic imagery, including social media icons.

The use of a Google domain adds authenticity to the email and makes it appear to the recipient that the link can be trusted. When the link is clicked, the user is redirected to a website that allows the user to review online orders.

A compressed file is downloaded which contains a Visual Basic script that downloads Trickbot. Once downloaded, Trickbot gets to work profiling the network, searching for sensitive data, and inserts code into browsers which monitors for online banking activity and captures credentials. Once downloaded on a device, it is unlikely that the user will be aware that their computer has been infected.

The URL redirection serves two purposes. In addition to making the embedded link appear legitimate, this technique helps the attackers fool spam filtering solutions.

Businesses can protect against these attacks by using advanced spam filtering technologies that are capable of scanning embedded links and analyzing redirects. Web filters are also a valuable tool that can protect against URL redirects and prevent users from visiting malicious websites.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of