Phishing Campaign Spreads Trickbot Trojan Through Fake Office 365 Website

A fake Office 365 phishing website is being used by hackers to distribute the Trickbot Trojan.

The website is a convincing mimic of the legitimate Microsoft Office 365 website. The hackers paid careful attention to detail, and even gave it a similar URL – get-office365[.]live – and ensuring that all the URLs embedded on the site point to Microsoft domains.

However, a few seconds after a user lands on the site a popup warning will appear from either the Chrome Update Center or the Firefox Update Center.

The popups warn that the user’s browser is in need of an update to prevent errors, which it lists as incorrect site mapping, loss of stored personal data, and incorrect site mapping. If the user clicks on update, a malicious executable named upd365_58v01.exe will be downloaded, which will install the Trickbot Trojan. Both Firefox and Chrome show similar messages.

Trickbot is likely to be installed undetected. Trickbot inserts itself into a svchost.exe process, so even if the user opens Task Manager, they will not see the malicious process running.

Once installed, Trickbot establishes a connection with its C2 server and begins sending information about the victim’s computer and running services. Trickbot also launches a password stealing module, which will search for all stored passwords on the device and will also exfiltrate the browsing history and autofill form information.

The campaign and malicious website were detected by MalwareHunterTeam and the malicious site is now blocked by most website security solutions.

Any users who installed the ‘update’ should perform security scans of their computer. It is recommended that all users should change passwords to their accounts using another computer until it is confirmed that their own computer has been rid of the virus.