Author: Nathan Toporek
On 25 April, Infoblox observed a phishing campaign that used a DocuSign lure and a malicious file attachment to infect victims with the Trickbot banking trojan. Although Microsoft and other organizations disrupted the Trickbot botnet in October 2020,1 multiple sources have seen activity from the botnet since then.2
We have published several reports on Trickbot, including a Malicious Activity Report (MAR)3 and Cyber Campaign Briefs (CCBs).4,5
Trickbot was first discovered in 2016 and has since grown in popularity.6,7,8 Trickbot infects victims, steals sensitive financial information and exfiltrates it to its command and control (C&C) server. It can also move laterally within a network by brute-forcing Remote Desktop Protocol (RDP) credentials.
Threat actors favor Trickbot due to its modular nature, which facilitates customization and provides attackers the capability to drop additional malware on infected systems.
In this campaign, threat actors sent emails with a subject line of “Please Docusign.” and a malicious Microsoft Excel Spreadsheet file attachment. Messages prompted the victim to open the file attachment to start the signing process.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.