In October of last year, Microsoft used a court order to disrupt the prolific ransomware distributor Trickbot. The botnet survived and now threat researchers are monitoring a new Trickbot campaign. The new phishing attack sends an email link that redirects victims to a compromised server, taking them to a webpage claiming they have been found guilty of a traffic violation. Included is a download button where victims can see photos of the alleged incident. Upon clicking the download button, a zip file containing a malicious JavaScript file is downloaded, and if the JavaScript file is double-clicked, it will run using the built-in Windows scripting host and Trickbot malware is loaded by downloading a binary executable.
Analyst Notes
Although Trickbot survived the disruption by Microsoft, a new legal precedent was set. Microsoft successfully argued that Trickbot was using Windows code for malicious purposes and provided them a court order to disrupt the botnet. This should allow for more support in future attempts to takedown the malware. In the meantime, the best way to protect against phishing campaigns is training and awareness. Teaching employees how to spot a phishing email can be a great defense. Identifying suspicious URLs or email addresses or knowing when an attachment may be malicious can prevent an attack brought on by a phishing email. If email filtering is in place, defenders can block zip file attachments that contain JavaScript or VBScript files. Another useful preventative control to deploy is a group policy update to set the default program for handling .js and .vbs file extensions to Notepad or another text editor program, so that employees double-clicking a script file do not automatically execute it on their workstation. Multi-factor authentication also provides a strong barrier against phishing attacks because it requires an extra step for cyber criminals to overcome in order to conduct a successful attack. According to Microsoft, using multi-factor authentication blocks 99.9% of attempted account hacks. Companies should also utilize a service such as Binary Defense’s Managed Detection and Response service to monitor endpoints for any abnormal activity and identify attacks early before they can cause damage.
