Using phishing emails with lures pertinent to the recipient, the threat actor delivers a Word document with malicious macro code including an image that shows encrypted content. Hidden below the embedded image is the ActiveX control where the threat actor would implement the MsRdpClient10NotSafeForScripting class, which was legitimately designed by Microsoft to be used for remote control.
Phishing Awareness Training: For more information, please email UCLA Information Security Awareness.
Due to the legitimacy of the ActiveX control, disabling it would not be ideal for system processes that use it. TrickBot has shown it is an ever-evolving malware family that will use trusted processes as an attack vector. TrickBot actors often initiate their attack via phishing techniques; therefore, H-ISAC recommends remaining vigilant in efforts to keep attack surfaces to a minimum and by providing awareness training for staff. Specifically, users should be on the lookout for emails with an alarmist tone in order to invoke urgency to view attachments. For a comprehensive set of recommendations, please see the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. The technical volumes (under Cybersecurity Practice #1) contain more details on Cybersecurity Practices for E-mail Protection.