Bleeping Computer has published their findings regarding a fake Office 365 site that offers the TrickBot Trojan disguised as browser updates. TrickBot is a password-stealing Trojan and the site is providing links to supposedly Chrome and Firefox updates that really serve up this malware package. The fake browser update links are presented to the user in the form of a pop-up that states that your browser requires an update.
Instead of the expected browser update, the link serves up an executable called “upd365_58v01.exe”. This installer will then download and execute a copy of TrickBot. Once installed, TrickBot will inject itself into a svchost.exe process to hide its presence should the user open Task manager. It will then connect to its command and control server to retrieve additional modules.
One such module, systeminfo64, retrieves information about the infected system and uploads to the command and control server. Another module, pwgrab64, retrieves and uploads login credentials, browsing history, and form autofill information.
The following image shows a Virus Total scan of the URL.
Indicators of Compromise