New details from Palo Alto Network’s Unit 42 research team show TrickBot rearing its ugly head once again, using legitimate cloud services – and employee greed – as its path to success. Who doesn’t want a huge bonus? And who doesn’t know about Google Drive by now?
It’s these two factors that attackers relied upon in a new phishing campaign when attempting attacks to infect machines with TrickBot – a well-known credential stealing malware. According to the researchers at Unit 42, attackers used subject lines that included the phrase “annual bonus” to get the attention of potential victims. Using rather huge bonus amounts (shown below), attacker enticed victims to click on documents that needed to be “signed.”
The malicious link redirected victims to a Google Doc which then linked to a payload file on Google Drive. The use of Google docs and Drive are the specific part of the attack that allow it to often go unnoticed by anti-malware detection engines. Scammers leverage well-known cloud services to avoid detection; it’s worked in the past with SharePoint and OneDrive, and continues to be a common-enough tactic because these services are familiar to unwitting users enough that it doesn’t raise suspicion.
This inordinate number of steps that seem obviously out of the norm is what should be raising red flags in the user’s mind. It’s only through Security Awareness Training that users begin to understand that should they encounter a scam that feels as awkward as this, that it should be treated as suspicious and further contact with it should be avoided.
