TrickBot malware is using a Windows Task named “service update” in an attempt to evade detection and maintain persistence on infected endpoints. The refinement is part of a new wave of phishing emails that distribute the botnet Trojan, a threat which shares many characteristics with Dyre. These emails all come with PDF documents containing an embedded Word document. Other malware families like Jaff ransomware and Dridex have leveraged this technique in response to users’ growing awareness of malspam campaigns pushing out Microsoft Office documents with malicious macros. While it does also push out Word attachments with macro scripting, TrickBot’s newest campaign seeks to trick recipients with a distribution method about which many users are still unaware. Each attack email also comes with no message content or subject line. Researchers have seen this tactic before in other attack operations like Blank Slate. Bad actors do not provide any content in the hope that curiosity will move recipients to open the email attachment.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street