Trickbot Spam Campaign is Capitalizing on COVID-19 Fears

Share Blog post

Cyber-criminals behind Trickbot are active again, targeting Italian users, where cases of the deadly coronavirus infection are surging. They are targeting victims with spam emails about preventative measures to take for COVID-19. The attackers are using this epidemic as an opportunity to target users looking online for coronavirus related topics. They are using social engineering tricks, where they are taking advantage of fear around the COVID-19 epidemic.

Infection Vector Used In Trickbot Campaign


The attackers were sending spam emails with messages purporting to be from a doctor (Dr. Penelope Marchetti) working at the World Health Organization (WHO). The subject of the email is “Coronavirus: Informazioni importanti su precauzioni” and comes with a document meant to be a list of precautions to be taken to prevent infection. In reality, the attached file is a weaponized Word document that comes with a Visual Basic for Applications (VBA) script to drop a new Trickbot malware variant. If the weaponized Word document is opened, it will ask victims to click on the ‘Enable Content’ button to correctly view the content of the message. If a user falls for that and clicks the button ‘Enable Once’, the macros will be executed to act as a dropper for the Trickbot malware.

Enabling the macro leads to the following chain of events: It ejects files encoded within the document to disk: a VBA macro file (vbaProject.bin), and various Word-related XML files. The macro includes an obfuscated JavaScript (jse) file which it then connects back to a PHP script on a remote server (hxxps://185.234.73[.]125/wMB03o/Wx9u79.php in some samples), giving up info about IP address and some other basic info about the target as variables within an HTTP GET request. After that, it beckons the macro file. The macro file contains an obfuscated script to create the JavaScript dropper and a .bat batch file to execute the dropper with the Windows Script Host (WSH) command-line tool, “cscript[.]exe.” TrickBot allows cybercriminals to collect information from infected systems. Also, it tries to make lateral movements to infect other systems on the same local network. Even after that, the infection does not stop, and finally, the attackers try to deploy the Ryuk Ransomware.

What can be done?


This particular malware infection can be stopped by following good security practices like disabling macros in Office applications for all. Users need to be even more alert in this dire situation, as many people are waiting for these types of global events to utilize it to their advantage and target innocent users. Emails from unknown people, claiming to be doctors, health inspectors or social service groups should not be trusted on their face values. Users should be alert for all emails that they receive, and should not open any attachment from someone they do not recognize without first verifying that the email is genuine. Adequate training should be provided to every employee in the organization on how to respond to spam emails and handle office files that come as email attachments.

Conclusion


Trickbot becomes another malware family to join the growing list of threats that are using COVID-19 as their advantage. Cybercriminals are not going to rest and continue to take advantage of such situations. Users should pay attention to cybersecurity, because COVID-19-related misinformation is on the rise, and their curiosity can lead to putting their entire organization’s network at risk. Attackers are not doing anything particularly special or using a new vector to succeed; they are just using fear as a weapon. So, users should stay at home and follow basic security hygiene. Also, organizations should consider sharing of actionable intelligence about the threats, like important hashes (SHA1, MD5, etc.), malicious IP addresses, domains, URLs to ensure timely identification and proactive remediation.

Indicators Of Compromise


URL
hxxps://185[.]234[.]73[.]125/wMB03o/Wx9u79.php

IP Address
23[.]19[.]227[.]235

File Hashes
dd7023dd82b641c9307566b87acf0951f16b27c34094a341fa1fe7671d269bf4
58e918466a61740abe42a2d1ca29bd8d56daf53912e6d65879cbe944466fb80c
8e3240a2a6b07ae8a6fde884c0e18e476ca3e92438022fe1a1ad4b2ba2334737

Email Subject
Coronavirus: Informazioni importanti su precauzioni


 Tags

malspam campaign
social engineering attacks
trickbot trojan
coronavirus scams

Posted on: April 17, 2020

Get the Research and Analysis delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!