TrickBot - a new spam attack on the company

On November 2, we witnessed a new spam campaign, in which emails with an attached Word document were sent to companies from the UK. Each email message had the topic “Companies House - new company complaint”, and the attached Word document was titled “Complaint.doc”. When users opened this file, this is what they saw:

How does TrickBot work?

If the user follows the suggested instructions, the macro from this document will be executed. It downloads a file called dododocdoc.exe, which will be saved in the% temp% folder as sweezy.exe, and then executed. This file is a variant of the TrickBot malware family. After starting it will install itself on the computer and inject the dll into the svchost.exe system process. From there it will connect to the C & C server.
')
This campaign was not large-scale in a global sense, but it was aimed only at companies from the UK. Hundreds of Panda Security customers received such emails, but they were all proactively protected, and therefore they did not have to take any additional actions. However, the clear selectiveness of this campaign is noteworthy, because home users were not considered as potential victims, and corporate users were overwhelmingly represented by companies from the UK, although there were 7 cases in Spain, one each in Belgium, Ireland and Thailand. This campaign was short and ran from 10:55 am to 12:11 pm (GMT).

The macro uses PowerShell to execute a malicious program, which has become commonplace since This technique has become increasingly popular lately, being used to carry out attacks by coders or even to infect PoS terminals .