The banking trojan TrickBot is not retired yet. Not in the least. In a seemingly never ending series of spam campaigns – not via the Necurs botnet this time – we’ve spotted mails written in Norwegian that appear to be sent by DNB, Norway’s largest bank.
The mail wants the recipient to believe that they have received an important “decision letter” and that they should open the attached document for more information. They also suggest that, if there are problems reading the content, you have to click the “Enable Content” button… uh oh, where have we heard that before?
Anyway, let’s take a look at the attachment “SikreDokumenter.doc” (“Secure Document”). Not that much to see here though.
“Laster Innhold” translates to “Loading content”, but that content never appears. As if it is waiting for the user to click “Enable Content”, as the mail suggests, no? Unfortunately, clicking this button still never reveals anything (how disappointing!). Instead, a Visual Basic macro launches a PowerShell script which will download and execute the TrickBot loader.
And just like last time we wrote about TrickBot, a large spam campaign often goes hand in hand with a malware update. Now the authors are “celebrating” a brand new list of targets. Here’s a short summary:
Wait, the Nordic banks were gone? That’s right! They appeared in June, but were removed again early August. Our guess was that attacking the Nordics turned out not that profitable – but now they are back. Which immediately explains the localized spam.
But fear not, our security products were already protecting you against this latest campaign.
Special thanks to Päivi for the help.