The Trickbot delivery system has changed today, Instead of the usual word docs with either macros, embedded ole objects or using the Microsoft equation editor exploits, they have switched to a multi-faceted download system, involving fake Adobe PDF plugins.
This example is an email containing the subject of “FW: Incoming BACs Documents” pretending to come from Lloyds Bank but actually coming from a look-a-like or typo-squatted domain firstname.lastname@example.org with link in the email body is today’s latest spoof of a well-known company, bank or public authority eventually delivering Trickbot banking Trojan
You do not need the password from the email body. It is just there to make it look more realistic
I could only get this download chain to work on Google Chrome or Firefox. It did not display the pop up/ overlay on Internet Explorer or Microsoft Edge browsers.
You can now submit suspicious sites, emails and files via our Submissions system
From: Lloyds Bank <email@example.com>
Date: Tue 08/05/2018 11:22
Subject: FW: Incoming BACs Documents
From: Incoming BACs Documents (Lloyds Bank PLC)
Date: Tue, 8 May 2018 06:22:28 -0400
File Type: Adobe Reader (PDF)
Attached is a final copy of Incoming BACs Documents from Lloyds Bank PLC.
For additional security, the sender has set an open password for this document. You will need to contact Onboarding COE NWB Documents to get the password in order to view this attachment.
You can view the document in your online account.
About this email
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 9392991. Telephone: 0845 603 1637
Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
Lloyds Bank has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there are between 2 and 4 newly registered domains that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.
Today’s examples of the spoofed domains are, as usual, registered via Godaddy as registrar using privacy protection services.
- lloydsbankdocs.com hosted behind cloudflare so I cannot find the server location
- lloydsbanksecure.co.uk hosted on & sending emails via 184.108.40.206 | 220.127.116.11 |18.104.22.168 | 22.214.171.124|
They have also changed to C:\Users\User Name\AppData\Roaming\wsxmail as the folder location to run the malware and store the config files. Today we have Gtag ser 0508