"In the most recent campaign we observed across our global Menlo Security cloud platform, we noticed the attackers used an interesting lure to get users to click and install the Trickbot malware on the endpoint.
This ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America," the security outfit said.
According to Menlo Labs, Trickbot looks to be sending out compromised emails with malicious hyperlinks. Whereas the botnet used to leverage "weaponized documents," Trickbot's re-emergence now seems focused tricking users into clicking on a link, which redirects them to a compromised server. Users are then encouraged to download a malicious payload.
"Where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind trickbot’s operations. While Microsoft and it’s partners' actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment," Menlo Labs says.
As to the malicious files, the aforementioned download contains heavily obfuscated JavaScript code. Menlo Labs says it is still analyzing the payload, and intends to publish more details comparing it to payloads that were delivered prior to last year's takedown efforts.
