TrickBot Adds ActiveX Control, Hides Dropper in Images


The TrickBot banking trojan has gotten trickier, with the addition of a Windows 10 ActiveX control to execute malicious macros in boobytrapped documents.

Michael Gorelik, researcher at Morphisec Labs, said that at least two dozen documents have come to light in the last few weeks that use ActiveX—a feature in Remote Desktop Protocol (RDP) – to automatically trigger malicious macros in documents attached to targeted malspam emails. This creates and executes the OSTAP JavaScript downloader, which acts as a dropper for the TrickBot payload, without user interaction after they click the “enable macros” button.

Read more…
Source: ThreatPost