Trickbot Further Adapts Itself for COVID-19 Related Scams

Trickbot malware continues its malicious campaigns against various organizations across the globe.

Recent attacks

Trickbot, which is considered as one of the most prolific malware involved in COVID-19 related cybercrimes, was actively targeting organizations around the globe using COVID-19 related lures:

  • In April 2020, a Trickbot campaign was observed targeting email recipients with fake messages purporting to come from the U.S. Department of Labor (DoL), talking about FMLA’s right to medical leave benefits for employees, during COVID-19 pandemic.
  • In March 2020, a malicious spam campaign was observed, that pretended to be from a doctor at the World Health Organization (WHO), but it was spreading TrickBot information-stealing malware to targeted Italian users.

Not just lures but actual COVID-19 enhancements

Trickbot is not just notorious for using COVID-19 related social engineering lures to trick its target users. Its operators have also made efforts to sharpen the malware code to be more effective during the coronavirus pandemic.

  • In March 2020, the TrickBot operators were seen using news stories from CNN about President Trump's impeachment as part of the malware's file description to evade detection by security software.
  • In the same month, Trickbot was updated with a "rdpScanDll" module which allows the malware to brute-force Remote Desktop Protocol (RDP) credentials, that could prove deadly during this period of remote working.

Highly adaptive malware

Trickbot operators have always been very active in adapting to regional and global affairs to lure their victims, even before the ongoing pandemic.

  • In February 2020, Trickbot was being spread as a payload with Emotet malware, via spam campaign disguised as signed W-9 tax forms, that are designed to evoke the curiosity of citizens during the tax season.
  • Before this, Trickbot operators were also observed using topics like employee payroll or fake sexual harassment complaints appearing to be from the US Equal Employment Opportunity Commission in its recent campaigns.

Tips for protection

To stay protected against malware like Trickbot, users should practice caution with emails from unknown sources, specifically those having attachments. Also, using strong passwords can help prevent any attempts of brute-force attacks, and keeping the endpoints and all applications updated can help avoid exploitation of any known vulnerabilities.