Hackers Hijack Windows 10 RDP ActiveX Control To Download TrickBot Malware

Windows Virus
We fully realize we are preaching to the choir, but never open up unsolicited and/or unexpected email attachments. Remind your friends and remind your family members. Lest anyone need a reminder of why this is a bad idea, security researchers are warning of a group of attackers who have been phishing for victims as part of a TrickBot malware campaign.

The hackers are using the remote desktop ActiveX control in Word documents to carry out their malicious deeds. Once initiated on a Windows 10 PC, the ActiveX control automatically executes a malware downloader called Ostap, which was recently adopted by TrickBot for delivering payloads. And it all starts with phishing.

Malicious actors send out emails masquerading as notifications of a missing payment. The emails direct victims to view a fake invoice attachment, which in actuality is a booby-trapped Word document.

"The downloader is delivered as a Microsoft Word 2007 macro-enabled document (.DOCM) that contains the two components of the downloader: a VBA macro and the JScript. The emails and samples analyzed were themed as purchase orders, suggesting that the campaigns were likely intended to target businesses rather than individuals," researchers at Bromium explain.

Word Malware
Source: Bromium

An analysis of the campaign found that the JavaScript component of the downloader is stored in the body of the Word document as white text. This is how it goes unnoticed at first glance.

Part of the malicious macro runs when the document is first opened. Once the document is closed, the rest of the macro runs, which is cleverly designed to thwart behavioral analysis schemes employed by sandboxes.

"Interestingly, the Ostap includes a fake Windows Script Host runtime error that occurs shortly after the script is run. It’s likely that the fake error was included to discourage manual examination of the downloader," Bromium researchers explain.

It's tricky business, and while running an updated OS might not be enough to prevent this sort of thing, common sense computing habits almost always will.