New Trickbot Delivery Method Focuses on Windows 10
Researchers discover attackers abusing the latest version of the remote desktop ActiveX control class introduced for Windows 10.
Researchers have identified the use of Windows 10 functionality to automatically execute the OSTAP JavaScript downloader on victim machines. In their investigation, they found other attack groups abusing the same control, and earlier controls, with a slightly different technique.
The functionality being exploited is the latest version of the remote desktop ActiveX control class introduced for Windows 10, Morphisec Labs analysts explain in a blog post. Over the past few weeks, they have identified "a couple dozen documents" that execute the OSTAP JavaScript downloader.
Attackers use the ActiveX control to automatically execute a malicious macro after a victim enables a document. Most documents held an image to convince people to enable the content. Doing this executed the malicious macro; however, the image also concealed an ActiveX control below it. The OSTAP downloader is hidden in white text so it's invisible to people but can be read by machines. Researchers report this technique will work only on Windows 10 devices.
"As newer features are introduced to a constantly updating OS, so too the detection vendors need to update their techniques to protect the system," according to the blog post. "This often creates very exhaustive and time-consuming work, which in turn can lead to the opposite effect of pushing defenders even farther behind the attacker." Trickbot attackers are taking advantage of this.
Read more details here.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."
About the Author
You May Also Like