Latest Trickbot Campaign Delivered via Highly Obfuscated JS File

We have been tracking Trickbot banking trojan activity and recently discovered a variant of the malware (detected by Trend Micro as TrojanSpy.Win32.TRICKBOT.TIGOCDC) from distributed spam emails that contain a Microsoft Word document with enabled macro. Once the document is clicked, it drops a heavily obfuscated JS file (JavaScript) that downloads Trickbot as its payload. This malware also checks for the number of running processes in the affected machine; if it detects that it’s in an environment with limited processes, the malware will not proceed with its routine as it assumes that it is running in a virtual environment.

Aside from its information theft capabilities, it also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware. Based on our telemetry, this Trickbot campaign has affected the United States the most. It has also distributed spam to China, Canada, and India.

Read more…
Source: Trend Micro