The TrickBot banking trojan has recently increased its capabilities, adding Windows 10 ActiveX control. This new feature gives the banking trojan the ability to execute malicious macros that are hidden in documents. A researcher at Morphisec Labs stated that in the past few weeks, two dozen documents have emerged that use ActiveX to trigger malicious macros in documents attacked to targeted malspam emails. ActiveX creates and executed the OSTAP JavaScript downloader, which then drops the TrickBot payload without user interaction.
Researchers stated that the OSTAP JavaScript downloader is hidden in white-colored letters in between content in the email, so it is not visible to the recipient but still performs the same functions. The ActiveX feature only works on workstations that are updated to Windows 10, according to expert analysis.
Read More: TrickBot Adds ActiveX Control, Hides Dropper in Images