Keep an eye on your email for messages from the US Postal Service claiming you missed an important delivery. Cybercriminals are abusing the public’s trust in the USPS to trick victims into installing the resurgent Trickbot malware.
Cofense researchers have been tracking a new Trickbot phishing campaign that began earlier this month. The “decoy” used by attackers is one most of us have encountered during the pandemic: a missed package delivery.
The messages claim no one was available to provide a signature and the recipient will have to reschedule the delivery. The criminals “usefully” note that you can simply print out the linked shipping bill and take it to a nearby post office to set a new time.
It’s pretty easy to see why someone would hastily click the button to view the alleged invoice. No one wants to miss a delivery, and it can be extremely frustrating when you To do miss one.
There have been enough delays to manage over the past two years. Then having to endure another one because of bad timing is exactly the kind of thing that might cause people to click first and ask questions later.
Those who click to see what this “invoice” consists of are pushed to a .ZIP file that hides a booby-trapped Excel workbook. When opened, a large screen attempts to trick users into disabling Excel’s built-in defenses via the yellow Protected View bar.
If the instructions are followed, a script is triggered which tells the victim’s computer to download the real malicious payload and Trickbot infects the system.
Trickbot has been circulating since 2016. It started out as a banking Trojan, but has since evolved into a fully modular malware that can provide remote access to infected systems, steal Active Directory credentials from corporate environments, and distribute ransomware.
Throughout the first year of the pandemic, Trickbot controllers used COVID-19 decoys to phish victims. Then, in late 2020, a collaborative effort involving Microsoft’s digital crimes unit, numerous law enforcement agencies, security and hosting providers dealt Trickbot a major blow.
120 of its 128 servers had been taken offline. It was known at the time that keeping Trickbot removed would require an ongoing effort. Whether this new campaign is a last gasp or the start of its resurgence remains to be seen.