TrickBot Adds ActiveX Control, Hides Dropper in Images

2020-03-02 17:14

The TrickBot banking trojan has gotten trickier, with the addition of a Windows 10 ActiveX control to execute malicious macros in boobytrapped documents.

This creates and executes the OSTAP JavaScript downloader, which acts as a dropper for the TrickBot payload, without user interaction after they click the "Enable macros" button.

The ActiveX control uses the "MsRdpClient10NotSafeForScripting" class, according to the researcher, which is used for remote control.

In 2019, various versions of TrickBot steadily added new tricks to the trojan's arsenal, including a feature that goes after remote desktop credentials and an update to its password grabber to target data from OpenSSH and OpenVPN applications.

Researchers last year also found evidence that the crimeware organization behind TrickBot forged an unprecedented union with North Korean APT group Lazarus through an all-in-one attack framework developed by TrickBot called Anchor Project.

News URL

https://threatpost.com/trickbot-activex-control-dropper/153370/

#trickbot #activex