Cyber-criminals behind Trickbot are active again, targeting Italian users, where cases of the deadly coronavirus infection are surging. They are targeting victims with spam emails about preventative measures to take for COVID-19. The attackers are using this epidemic as an opportunity to target users looking online for coronavirus related topics. They are using social engineering tricks, where they are taking advantage of fear around the COVID-19 epidemic.
Infection Vector Used In Trickbot Campaign
The attackers were sending spam emails with messages purporting to be from a doctor (Dr. Penelope Marchetti) working at the World Health Organization (WHO). The subject of the email is “Coronavirus: Informazioni importanti su precauzioni” and comes with a document meant to be a list of precautions to be taken to prevent infection. In reality, the attached file is a weaponized Word document that comes with a Visual Basic for Applications (VBA) script to drop a new Trickbot malware variant. If the weaponized Word document is opened, it will ask victims to click on the ‘Enable Content’ button to correctly view the content of the message. If a user falls for that and clicks the button ‘Enable Once’, the macros will be executed to act as a dropper for the Trickbot malware.
What can be done?
This particular malware infection can be stopped by following good security practices like disabling macros in Office applications for all. Users need to be even more alert in this dire situation, as many people are waiting for these types of global events to utilize it to their advantage and target innocent users. Emails from unknown people, claiming to be doctors, health inspectors or social service groups should not be trusted on their face values. Users should be alert for all emails that they receive, and should not open any attachment from someone they do not recognize without first verifying that the email is genuine. Adequate training should be provided to every employee in the organization on how to respond to spam emails and handle office files that come as email attachments.
Trickbot becomes another malware family to join the growing list of threats that are using COVID-19 as their advantage. Cybercriminals are not going to rest and continue to take advantage of such situations. Users should pay attention to cybersecurity, because COVID-19-related misinformation is on the rise, and their curiosity can lead to putting their entire organization’s network at risk. Attackers are not doing anything particularly special or using a new vector to succeed; they are just using fear as a weapon. So, users should stay at home and follow basic security hygiene. Also, organizations should consider sharing of actionable intelligence about the threats, like important hashes (SHA1, MD5, etc.), malicious IP addresses, domains, URLs to ensure timely identification and proactive remediation.
Indicators Of Compromise
Coronavirus: Informazioni importanti su precauzioni