Home Articles How Trickbot Trojan is Evasive of Proofpoint Gateway

How Trickbot Trojan is Evasive of Proofpoint Gateway


Trickbot is using Google Docs to bypass the Proofpoint’s Gateway. Read on to know how the trickbot trojan is sharing sites like Google Docs to bypass the email gateway…

The ever-evolving Trickbot trojan is never leaving a chance to surprise security analysts. TrickBot is one of the most aggressive malware these days after replacing Emotet as the most actively distributed strain via malspam campaigns, with upgrades added to new versions spotted by security researchers on an almost weekly basis.

TrickBot which is also known as Trickster, TrickLoader, or TheTrick is a malicious payload distributed through this phishing campaign, is an ever-evolving banking Trojan with continuously upgraded with new modules and capabilities since October 2016 when it was discovered.

This time the Trickbot trojan has made it through Proofpoint’s gateway using a Google Docs link. Researchers revealed that the Google Docs online word processor is being used by attackers to disseminate TrickBot banking Trojan payloads to unsuspecting victims via executables camouflaged as PDF documents. The phishing messages delivered via this malspam campaign use legitimate messages generated by sharing a Google Docs document with the targets, containing a fake 404 error message and a link to the malicious payloads.

Working Mechanism
According to researchers from Cofense, threat actors behind the phishing campaign delivered the Trickbot embedded in a Google Docs link. Since Google Docs is a trusted and legitimate application, it simplified the job of threat actors to bypass the email gateway and lure users to click the link. To arise curiosity among the recipients, the email goes with a message which says, “Have you already received documentation I’ve directed you recently? I am sending them over again.”

Once the victims click on the link, they are redirected to a genuine Google Docs page which contains a fake 404 error message and another embedded link. The recipients are then tricked into downloading the document manually via the link which actually downloads the malicious payload. This malicious payload is downloaded in the form of a PDF file on victims’ computers.

“Once the URL links to a file hosted on Google drive, it downloads a Review_Rep.19.PDF.exe which has been disguised as PDF file. Many recipients will not see the .exe file extension. It’s something that you need to specifically enable in Windows. So, to them it looks like a legitimate PDF file since the attacker uses the icon for a PDF,” added the researchers.

Once the payload is executed it creates a copy of itself in C:\ProgramData, where it undertakes control over the execution of the malware. Furthermore, it creates another copy in “C:\Users\REM\AppData\Roaming\speedLan” which also includes the config file for Trickbot.

The trojan also sets a task that starts the malicious file from the ‘Speedlan’ folder. By looking at the Triggers tab, researchers note that ‘it has been set to repeat itself every 11 minutes for 596843 minutes for this particular version of Trickbot.’


Please enter your comment!
Please enter your name here

12 + = 16