Security Alert: New Spam Campaign Delivers Trickbot Payload, Spoofs Dropbox

Share and earn Cybytes
Facebook Twitter LinkedIn Email

You may remember Trickbot, the financial Trojan that made its appearance in the past targeting a lot of US banking companies, including big names like PayPal. Authors of Trickbot are persistent and continue to find new ways to harvest users’ valuable data. Recently, researchers discovered this spam email campaign in which malicious actors have decided to resort to spoofing Dropbox.

Security researchers analyzed a new spam email campaign delivering the Trickbot malware that claims to come from the legitime Dropbox website but actually coming from a look-a-like site.

The unwanted email is delivered with the following details (sanitized for your own protection):

From: Dropbox <no-reply @ dropboxsec [.] Com>

Subject line:

A new document is available for download



Your company administrator has uploaded a secure document for you or your company.

Your ID: [email adress]

Your unique download key: 6M4V74YEVMDHGR

This string of letters and numbers is a unique ID for the document you received.

To view or print the document please click here [link til dropboxsec[.]com]

The document associated with this unique ID opens. You can now sign, download and save, print, and perform “More” actions on the document, depending on the permissions the sender has given you.

Please contact your administrator for more information.


– The Dropbox Team>

How the infection happens

If a user is being lured into clicking on the malicious link, then a specially crafted and harmful document is delivered, via the following URL that could look like this one:

https: [//] dropboxsec [.] net / 6M4V74YEVMDHGR. doc

If the macro code in the malicious Word document is enabled by an invisible recipient, Trickbot will be retrieved from the following URLs (sanitized for your own safety)

http: // techknowlogix [.] net / farestod.png
Http: // [.] ve / farestod.png

This TrickBot variant is linked to the main bot that has the id (given group tag) “tt0002”, and the version number 1000147. It comes with several modules, including configuration files in an encrypted form.

With the help of a COM server, it creates a “task” that can execute the Trickbot payload after a restart of the machine via  “AppData Roaming % client_id%”.

Trickbot uses the API “GetNativeSystemInfo” or “wProcessorArchitecture” as it uses to determine whether it is 32-bit or 64-bit environment / CPU.

Here’s how the configuration file showing the previously mentioned C&C servers is displayed. These servers are used by malicious actors to maintain communications with compromised systems:

<Ver> 1000000 </ ver>
<Gtag> tt0002 </ gtag>
[C & C: [port]] </ Servs>
<module name = “systeminfo” ctl = “GetSystemInfo” />
</ Autorun>
</ Mcconf>

Heimdal Security proactively blocked these infected domains (and malicious emails), so all Heimdal PRO and Heimdal CORP users are protected.

According to VirusTotal, only 17 antivirus products out of 56 have managed to detect this spam email campaign at the time we write this security alert.

VirusTotal analysis

How to stay safe from banking trojans

Trickbot is known for its banking trojan features and the various ways used by cyber criminals to steal users’ personal information and harvest their sensitive data.

We recommend you:

  • Always have your operating system, and all your apps and other software programs, updated because it’s the first place where malicious actors look to exploit flaws.
  • Once again, we urge you: don’t open emails or click on suspicious files/attachments;
  •  Keep a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. This guide shows you how to learn how to do it;
  • Setting up a good, strong password is one of the best cybersecurity advice coming from security experts, and this security guide comes in handy;
  • Try to run software programs with non-administrative user accounts and remember to disable macros in the Microsoft Office package;
  • Make sure you have a reliable antivirus program installed on your PC to protect your valuable data from online threats;
  • It would be safer to add multiple layers of protection and use a proactive cyber security software;
  • Prevention is the best cure, so you should learn as much as possible about how to easily detect spam emails. These free educational resources might help you gain more knowledge in the cybersecurity landscape.

Heimdal Official logo

If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox

*This article features cyber intelligence provided by CSIS Security Group researchers.

The post Security Alert: New Spam Campaign Delivers Trickbot Payload, Spoofs Dropbox appeared first on Heimdal Security Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?