Researchers at Cofense, a global cybersecurity company, have been tracking a new Trickbot phishing campaign that uses a common technique to trick victims into clicking on a link.
The messages claim to be from the U.S. Postal Service notifying the victim of a missed parcel delivery.
The message claims that no one was available to provide a signature and that the recipient will have to reschedule the delivery. The cybercriminals "helpfully" note that you can simply print out the linked shipping invoice and present it at a nearby post office to set up a new delivery time.
Those who fall for this trap and click the link are sent to a site with a .ZIP file that contains an infected Excel workbook. When opened, a popup notice attempts to coax users into turning off Excel's built-in defenses via the yellow Protected View bar. If the instructions are followed, a macro script is triggered downloads the real malicious payload, leading to a Trickbot infection.
Trickbot has been circulating since 2016. It began as a simple banking Trojan but has since evolved into fully modular malware that can provide remote access to infected systems, steal Active Directory credentials from enterprise environments, and distribute ransomware.
In 2020, a collaborative effort involving Microsoft's Digital Crimes Unit, law enforcement agencies, security, and hosting providers attempted to defeat Trickbot by taking 120 out of 128 of its servers offline. It was known at the time that keeping Trickbot suppressed would require an ongoing effort. Whether this new campaign is the last gasp at life, or the start of its resurgence remains to be seen. "Hackers Spoof Post Office Notices To Spread Notorious Trickbot Malware" www.forbes.com (Jan. 31, 2022).