Trickbot Operators Find the Way to Abuse RDP ActiveX Control for Malware Delivery

Delaware, USA – March 2, 2020 – One of the most dangerous malware received the updated downloader that abuses RDP ActiveX control in order to successfully infect Windows 10 systems. Morphisec Labs researchers discovered multiple documents that execute the javascript downloader to deploy TrickBot malware on the victim’s system. Adversaries use OSTAP downloader since August 2019, a huge JScript containing nearly 35,000 lines of obfuscated code. It is delivered via phishing emails disguised as notifications of a missing payment with a Word document attached. The document contains malicious macro code and an image file that allegedly showed encrypted content to convince users they need to click the “Enable Editing” button in the document.

“This time we have identified the use of the latest version of the remote desktop activeX control class that was introduced for Windows 10,” researchers said. “The attackers utilize the activeX control for automatic execution of the malicious Macro following an enable of the Document content.” The macro creates the BAT file which will abuse wscript to download and deploy TrickBot malware. Researchers also identified other groups misusing the same and earlier controls although with a slightly different technique. Content available on Threat Detection Marketplace to spot traces of such attacks:
WScript or CScript Dropper: https://tdm.socprime.com/tdm/info/YieQFa5ItRZR/
Execution wscript.exe: https://tdm.socprime.com/tdm/info/P3MJIDSwNJsT/
TrickBot behaviour (Privilege escalation attack) – https://tdm.socprime.com/tdm/info/hnFSkaXV5vHs/
TrickBot Malware Detector (Sysmon Behavior) (July 2019) – https://tdm.socprime.com/tdm/info/s06qUuUPHuOY/
Trickbot Malware (YARA rule) – https://tdm.socprime.com/tdm/info/QNIEMQiE0ZwF/
Trickbot Execution – https://tdm.socprime.com/tdm/info/DGNlrOOiuHe1/