Trickbot Now Passes Through Email Spam Filters via Google URL Redirection

  • Malicious actors are using URL redirection to take victims to their Trickbot-downloader site.
  • The message lures the recipients by presenting an order which has been shipped.
  • The Trickbot that is propagated is the same old powerful banking trojan that can steal information from a wide range of locations.

Trend Micro researchers have discovered a new variant of the Trickbot banking trojan that is now better at passing through spam filters. More specifically, the new variant uses a Google redirection URL in the fake email, which leads to the malicious URL in the next step. Using a Google URL is a solid practice to help create an image of legitimacy, and when combined with a well-written email, embedded social media icons, and a complete email signature, the end result is pretty convincing for the recipient. The message that is currently used by the actors concerns a supposed order that is ready for shipping, offering links to the tracking number and the payment receipt.

trickbot email message
Image source:

People who will click on the link will be met with a redirection notice, but this could be easy to miss. The main point of the Google URL is to minimize the chances of the message ending up in the spam folder, and the trick seems to be working. While the user is waiting for three seconds for their order status to load, what actually happens is that they’re getting a .zip file containing a Trickbot downloader.

trickbot landing page
Image source:

Through a module analysis, the researchers have figured out that the Trickbot that is used in this 'URL-redirection' campaign is already known. However, that is not to say that Trickbot isn’t dangerous or capable of a series of nasty functions. Here are its main capabilities as supported by Trickbot's individual modules:

  • Steal browser history data and cookies.
  • Inject tracking code into the browser and steal banking information.
  • Search and find email addresses in the local filesystem.
  • Profile POS terminal networks via LDAP.
  • Steal credentials from Outlook, WinSCP, and Filezilla.
  • Gather full system and user information.
  • Conduct lateral movement by exploiting MS17-010, and propagate to the compromised network.

What is important about this story is the fact that messages that pass through our spam filters should not be trusted. You should always check the address of the sender and consider whether you were waiting for a message from them or not, read the message carefully and look for grammar errors, and not accept any redirections whatsoever. If you have downloaded a file from such a message by mistake, do not ever attempt to execute it, as this is where Pandora’s box opens.

Care to share your thoughts on the above? Feel free to do so in the comments down below, or on our socials, on Facebook and Twitter.



Microsoft Launches a Redesigned Notepad for Windows 11

The redesigned Notepad for Windows 11 is now rolling out to Windows Insiders. In its new design, Notepad is aligned with the new...

Instagram Reveals New Tools to Keep Teens Safe, Including Parental Controls

Instagram announced its intent to take a 'stricter approach' regarding the content it shows to teen users. As part of Instagram's new tools,...

Microsoft Seizes Chinese-Based Hacker Group’s Websites

Microsoft has taken down several websites used by the China-backed hacker group called Nickel.The seized websites were used to gather information from...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari