Over the last week of so, there has been a bit of a change to the Trickbot delivery system. For quite a while they used the Microsoft Equation Editor Exploit CVE-2017-11882 in word docs to deliver the payload. Sometimes using 2 or 3 different exploits and badly documented features in word. Then in Early June 2018 they reverted to the more standard “auto-open” macro in word
They started to experiment on Monday 25 June 2018 with using CVE-2018-8174 but because that is an Internet Explorer specific exploit, relying on that will drastically cut down the amount of available victims.
After 2 days that approach suddenly stopped and they reverted to using Macros in word docs again. I thought something looked slightly different with these macros because when analysing them using Anyrun   I noticed that you needed to allow an active x control to run. At first I thought this was due to an update to AnyrunApp, where they had removed some inbuilt security overrides and made the interactive ability more in line with a real life user experience. I haven’t noticed this behaviour in the recent AnyrunApp reports for Trickbot, so I assume that the ActiveX warning has been overridden to make it easier to automatically get the malware payload.
So it looks like they are using the InkPicture Active X control inside vba macros to trigger a PowerShell script to download the malware payload
Then I noticed this tweet from Hybrid Analysis and the penny dropped.
Here’s a fresh maldoc delivering #trickbot (financial malware) using InkPicture’s ActiveX control to trigger using “payslip” name for social engineering: https://t.co/yQFkhfSqXh pic.twitter.com/y2P2nvRPqr
— Hybrid Analysis (@HybridAnalysis) June 29, 2018
Just be aware that the Trickbot criminal gang is one of the most prolific in the field of banking and other financial fraud. They continually innovate and find new, improved and different delivery mechanisms to keep us on our toes. No doubt we will see loads of other new exploits or badly documented, barely known “features” in Microsoft Office documents being used by this and other criminal gangs.