Trickbot Trojan Goes past Proofpoint Gateway Using Google Docs

The Trickbot trojan has now evolved beyond the security from Proofpoint’s gateway, as the malicious trojan used a Google Docs link to pass through the gateway.

The attackers are believed to have set the Trickbot embedded in a Google Docs link. Since Google Docs is a trusted and legitimate application, it simplified the job of threat actors to bypass the email gateway and lure users to click the link.

To arise curiosity among the recipients, the email goes with a message which says, “Have you already received documentation I’ve directed you recently? I am sending them over again.”

Once the victims click on the link, they are redirected to a genuine Google Docs page which contains a fake 404 error message and another embedded link. The recipients are then tricked into downloading the document manually via the link which actually downloads the malicious payload. This malicious payload is downloaded in the form of a PDF file on victims’ computers.

Regarding the attacks, the security researchers who found the attack stated that “Once the URL links to a file hosted on Google drive, it downloads a Review_Rep.19.PDF.exe which has been disguised as PDF file. Many recipients will not see the .exe file extension. It’s something that you need to specifically enable in Windows. So, to them it looks like a legitimate PDF file since the attacker uses the icon for a PDF,”

The result if this attack is the creation of a copy of the trojan in C:\ProgramData, where it undertakes control over the execution of the malware. An additional copy is also created in the “C:\Users\REM\AppData\Roaming\speedLan” which also includes the config file for Trickbot.