Fake Office 365 site that offers the TrickBot Trojan

Bleeping Computer has published their findings regarding a fake Office 365 site that offers the TrickBot Trojan disguised as browser updates. TrickBot is a password-stealing Trojan and the site is providing links to supposedly Chrome and Firefox updates that really serve up this malware package. The fake browser update links are presented to the user in the form of a pop-up that states that your browser requires an update.

Instead of the expected browser update, the link serves up an executable called “upd365_58v01.exe”. This installer will then download and execute a copy of TrickBot. Once installed, TrickBot will inject itself into a svchost.exe process to hide its presence should the user open Task manager. It will then connect to its command and control server to retrieve additional modules.

One such module, systeminfo64, retrieves information about the infected system and uploads to the command and control server. Another module, pwgrab64, retrieves and uploads login credentials, browsing history, and form autofill information.

The following image shows a Virus Total scan of the URL.

Further details – https://www.bleepingcomputer.com/news/security/fake-office-365-site-pushes-trickbot-trojan-as-browser-update/

Indicators of Compromise

SHA-256

  • fd97342e1968aed9d8f50468d3b7b7868981d9d360b2f049b6706e72d8184e3f

URL

  • https://get-office365.live/files/upd365_58v01.exe

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: