Level 66
Content Creator
Malware Hunter
The Google Docs online word processor is being used by attackers to disseminate TrickBot banking Trojan payloads to unsuspecting victims via executables camouflaged as PDF documents.

The phishing messages delivered via this malspam campaign use legitimate messages generated by sharing a Google Docs document with the targets, containing a fake 404 error message and a link to the malicious payloads.

By using legitimate Google Docs document sharing emails and landing pages, the attackers successfully bypassed a secure email gateway designed to monitor emails and block such attacks in their tracks as Cofense's research team discovered.

To redirect the targets to the Google Docs landing page, the attackers have added an "Open in Docs" button within the phishing email. Once on the landing page, the targets see the fake 404 error and are asked to download the document manually.

Phishing email sample

Phishing email sample
Read more below: