Tag: Trickbot

Looking through the email filters yesterday, I saw numerous emails from the sender “secure@hsbcdocuments.com” with the subject of “We need to confirm your details.” The email was a well laid out phish with a malicious Word document attached. This Word document led to a Trickbot banking malware infection via the use of a malicious macro instead of the use of the DDE attack vector. Initially when I was looking into these emails yesterday I was not seeing anything online about them. As part of my daily morning reading, I went to ‎@dvk01uk‘s site this morning and saw that it was…

Continue reading

For today’s post, I will be looking at a malicious Word document that we got spoofing NatWest which led to Trickbot malware being installed on the system. After I found this sample, I started to see posts on Tweeter from people like @dvk01uk and @VK_Intel posting about Trickbot. For this initial investigation there are three PCAPs since I initially did not see much going on after the initial infection, and then after a couple of minutes I started to see more traffic and fired up Wireshark again to see what I could capture. The last one is from when I…

Continue reading