Google Docs Being Used to Attack Users With TrickBot Banking Trojan
Watch Your Google Docs: Program Being Used to Disseminate TrickBot Malware
Beware of any Google Doc emails you receive. Cyber attackers are using the word processing program for a phishing scam that disseminates TrickBot malware.
Take extra caution if you receive a Google Docs document sharing email in the near future — it may be a phishing email.
Cofense, a computer and network security company that specializes in phishing scams and data protection, has recently revealed a new cyberattack, which uses Google Docs as its “Trojan horse.”
The scam plays out like this:
1. A user receives a Google Docs document sharing email. The document looks legitimate, and indeed, it is legitimate. Google Docs generates such emails when one user wants to share a Google Docs file with another user.
The text in the email states:
“Have you already received documentation I’ve directed you recently? I am sending them over again.”
2. The email also receives a new button (added by the attackers), which says “Open in Docs.” This button, when clicked on, redirects the user to a new Google Docs landing page.
3. Once the user has arrived on the landing page, they’ll see an error message. This message is fake and says “404 error.”
The idea is to get the user to believe that there was an initial error with the document download and to have them click on a malicious download link — one created by the attackers.
4. The user will click on this link, which is actually the payload of the malware. It’s the malicious software, which will corrupt the computer once downloaded.
The download link appears to be legitimate. In fact, it looks like a PDF document and even has an extension of “.pdf” like a legitimate file. The attackers engineered this extension by taking advantage of the fact that known file type extensions are hidden in Windows (as a default measure). Furthermore, they use a PDF icon as the malware program’s icon, even though the program is not a PDF at all.
5. Once the file has been clicked on and downloaded, the malicious software will begin doing its dirty work on the target’s computer. In this case, the malware is called TrickBot, and it’s an extremely popular and dangerous banking Trojan.
As soon as its executed, TrickBot gets to work and continues being highly active at corrupting its host device. It will begin to copy itself repeatedly onto the device — once every 11 minutes for 414 days. If allowed to run, it will also begin launching an increasing number of Svchost processes.
What Is TrickBot?
TrickBot is a type of malicious software and also goes by the name of TheTrick, TrickLoader, and Trickster.
Discovered in October of 2016, TrickBot is ever-evolving. It has been updated and upgraded continually over the past several years and continues to be a menace used in phishing scams.
TrickBot was originally a type of banking Trojan, and it still is, but it now also has the ability to drop additional malware wherever it lands. As a type of banking Trojan, the main goal of TrickBot has been to obtain sensitive financial information from host devices.
Basically, anything sensitive would be sucked up by TrickBot and delivered back to the source who disseminated it. When TrickBot is on your devices, it can obtain things such as login information for the financial institutions you visit online and drop additional malware such as the equally popular Emotet.
TrickBot can even drop ransomware onto a device. If this occurs, sensitive data and system access may be locked up and/or blocked off. A message will be sent to the device user that their data and/or system access is being held for ransom. Unless the user pays a large sum of money, their data will be lost forever.
How Can You Avoid Falling Victim to This Google Docs Phishing Scam and Others?
Phishing scams remain the chief way that cyber attackers corrupt files, filch information, and steal finances. A phishing scam almost always comes in the form of an email (although such scams can also be operated over the phone).
The goal of a phishing email is to first get the recipient to believe it is legitimate. Therefore, it will be appear to be from a source such as Google Docs, a bank, the IRS, or even a co-worker. The next step is to get the recipient to click on a link, download an attachment, or take another such action, which will inevitably lead to the launch of malicious software.
The best way to protect yourself and your company from phishing scams is to have the appropriate security software and hardware measures in place. Additionally, all employees must be continually educated on how to avoid falling victim to a phishing scam and on trending phishing attacks.