Microsoft users have been warned about a new malware attack that is designed to exploit Office 365 through a TrickBot password-stealing Trojan. Bad actors are attempting to infect devices with malicious content via a fake Office 365 page designed to look like an official Microsoft portal.
MalwareHunterTeam spotted the attack. The researchers say the fake webpage will look like a legitimate Office 365 page to users. In fact, the attackers have included details such as links that do point to official Microsoft domains.
When a user clicks one of these links, a pop-up windows appears that has been designed for different browsers. It issues a fake browser update alert, recommending users download the update. It seems Google Chrome and Mozilla Firefox are the targets.
“You are using an older version of the browser Chrome,” the message reads. Again, legitimacy is the key to confusing users. The attackers have labelled the pop-up “Chrome Update Center” or “Firefox Update Center”. Unwitting users would assume these are the genuine update services for those browsers.
https://get-office365[.]live/ -> https://get-office365[.]live/files/upd365_58v01.exe (fd97342e1968aed9d8f50468d3b7b7868981d9d360b2f049b6706e72d8184e3f – TrickBot looks)
Sectigo cert for the domain, DigiCert cert for payload (see thread: https://t.co/4bfybAGQaO)…
cc @VK_Intel pic.twitter.com/moxdgx9Vdp— MalwareHunterTeam (@malwrhunterteam) July 17, 2019
Attack
If the user opts to download the fake update, they will unknowingly receive a TrickBot Trojan that is designed to find stored passwords on a machine. It can also track and record autofill data on browsers, as well as monitor browsing history.
Furthermore, the Trojan can generate a list of programs installed on the device, including Windows programs. Information acquired by the Trojan is sent to a server. In most cases the malware will act undetected by installing to the Windows svchost.exe.
It is worth noting that anti-virus software should be able to find, stop, and delete this attack. Users are recommended to update their anti-virus software to newest build. If a device is already infected, the anti-virus software should be able to find the Trojan and handle it. This includes Microsoft’s own Windows Defender tool.
