A new method to deliver the TrickBot Trojan has been discovered on Windows 10 systems. TrickBot has been a reliable workhorse for cybercriminals since at least 2016 and is thought to have compromised at least 250 million email accounts globally. TrickBot may be responsible for hundreds of millions of dollars in fraud losses. The recent twist takes advantage of the remote desktop ActiveX control class to automatically execute the OSTAP malware JavaScript downloader on victim machines. Adversaries will leverage phishing campaigns where they rely on the user to open an attachment sent in an email and enable the content to execute a malicious macro.
Technical Details
Using phishing emails with lures pertinent to the recipient, the threat actor delivers a Word document with malicious macro code including an image that shows encrypted content. Hidden below the embedded image is the ActiveX control where the threat actor would implement the MsRdpClient10NotSafeForScripting class, which was legitimately designed by Microsoft to be used for remote control.
The JavaScript code for the OSTAP malware downloader hides in the document by using a text font with the same color as the background, making it invisible to the unsuspecting user. Other evasion tactics include not populating the server field within the ActiveX control properties for the MsRdpClient10NotSafeForScripting class which is needed to connect to a server. The threat actor purposely leaves this field blank so that when a DNS lookup goes out, nothing is found and it can execute malicious code later. This leaves the "_OnDisconnected" field for the ActiveX control properties blank which acts as a trigger to execute the OSTAP batch (.BAT) file allowing the download of malware. Subsequently, the Word file is closed once this process is executed.
Recommended Action
Phishing Awareness Training: For more information, please email UCLA Information Security Awareness.
Due to the legitimacy of the ActiveX control, disabling it would not be ideal for system processes that use it. TrickBot has shown it is an ever-evolving malware family that will use trusted processes as an attack vector. TrickBot actors often initiate their attack via phishing techniques; therefore, H-ISAC recommends remaining vigilant in efforts to keep attack surfaces to a minimum and by providing awareness training for staff. Specifically, users should be on the lookout for emails with an alarmist tone in order to invoke urgency to view attachments. For a comprehensive set of recommendations, please see the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. The technical volumes (under Cybersecurity Practice #1) contain more details on Cybersecurity Practices for E-mail Protection.
