Researchers from Cofense recently found that hackers began to use the Google Docs online word processor to spread the TrickBot banking Trojan. In October 2016, the TrickBot banking trojan was first discovered. Currently, TrickBot has become one of the most aggressive and active malware and is being upgraded almost every week.
It is reported that hackers use social engineering techniques to transform formal Google Docs document sharing emails and send them to victims. Once the victim clicks on the shared link in the email, they will be directed to a fake 404 error page. The page shows that the victim has to manually download a PDF file, which is actually the TrickBot Bank Trojan. “Once the URL links to a file hosted on Google drive, it downloads a Review_Rep.19.PDF.exe which has been disguised as PDF file. Many recipients will not see the .exe file extension. It’s something that you need to specifically enable in Windows. So, to them, it looks like a legitimate PDF file since the attacker uses the icon for a PDF.”
In this type of attack, hackers use regular Google Docs documents to share mail and login pages, so TrickBot can bypass related security measures.