New marketing campaign against UK subway by using TrickBot malware – E Hacking News
UK subway market has disclosed that its marketing system has been hacked. The malicious actor was sending TrickBot malware-laden phishing emails to the customers by using its marketing system.
Threat actor successfully accessed subway UK customers’ confidential information such as names and email addresses by hacking a subcard server. This campaign has come to light when BleepingComputer observed a massive phishing campaign targeting U.K. citizens, pretending to be order confirmation from subway UK.
According to the researchers, threat actor was distributing malicious Excel documents to the users that would install the updated version of the TrickBot malware into the system. As per the analysis, the downloaded TrickBot malware is a DLL that will be inserted into legitimate Windows Problem Reporting executable directly (wermgr.exe)
from memory to avoid being caught by security software and would appear like an authentic task running in the task manager.
What is TrickBot?
Trickbot is a computer malware-trojan, which targets Microsoft Windows or other operating systems to get sensitive information and acts as a dropper for other malware. Mainly, the malware is configured to send direct links to users by emails to download malware from malicious websites and trick the users into opening malware through an attachment.
It is about yesterday when Subway UK customers were receiving bogus emails from ‘Subcard’ of Subway about customers placed orders. The emails that were sent to the users comprised of certain links of documents that appeared to be a confirmation of the order.
In a recent development, it has been observed that TrickBot malware expanded its arsenal by adding TrickBoot.
In November, operators of TrickBot had added a new tool to its array with the name ‘LightBot’ to inspect the victim’s network for high-value targets.
Subway said in a statement to BleepingComputer, “Having investigated the matter, we have no evidence that guest accounts have been hacked. However, the system which manages our email campaigns has been compromised, leading to a phishing campaign that involved first name and email. The system does not hold any bank or credit card details.”
“Crisis protocol was initiated and compromised systems locked down. The safety of our guests and their personal data is our overriding priority and we apologies for any inconvenience this may have caused.”