Trickbot Bypasses Email Content Filters with Google Docs URL Redirection

The NJCCIC has observed payment voucher-themed emails sent to State employees containing Google Docs URLs (hxxps://docs[.]google[.]com) that could bypass email content filters. The URLs delivered with these emails include a link to a zip file containing a Microsoft Word document. If the user enables macros in the Microsoft Word document, it will download and install the Trickbot banking trojan, which can download additional modules and deploy new capabilities. Threat actors utilize the Google Docs URLs because it is a known and authentic site, helping to create an image of legitimacy to email content filters and the unsuspecting target. Trend Micro recently discovered a similar variant of Trickbot utilizing redirection URLs. The NJCCIC strongly encourages educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails, including those from known senders. If a Trickbot infection is strongly suspected but your anti-virus/anti-malware solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, and business accounts, as well as administrative and domain controller accounts accessed on infected systems, and enable multi-factor authentication where available.