TrickBot Malware Targets Users via Coronavirus Emails! Cybercriminals are launching a new phishing campaign aimed at targeting peoples fear of the Coronavirus (COVID-19). The email appears to contain a document containing some useful precautionary measures. Rather it includes malicious Microsoft Word document that SHOULD NOT be clicked.
These phishing emails first targeted Italian email addresses. Italy was one of the countries most affected by Coronavirus. These phishing emails prey on the understandable concern of its citizens over the disease.
Such emails have the title “Coronavirus: Informazioni importanti su precauzioni” and claim to be information about the necessary precautions that should be taken by people in Italy to protect themselves from the Coronavirus. The emails claim to be sent by “Dr. Penelope Marchetti”.
This translates to English as:
Dear Sir / Madam, Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message! With best regards, Dr. Penelope Marchetti (World Health Organization - Italy)
According to research by Sophos, attached to these phishing emails is a malicious Microsoft Word document that when opened states that you need to click on the ‘Enable Content’ button to properly view it.
Once a recipient clicks on ‘Enable Content’, malicious macros will be executed that extracts various files to install and launch the Trickbot malware as illustrated in the image below by Sophos. Below is how TrickBot Malware Targets Users via Coronavirus Emails
If a user has Microsoft Word macros disabled, a message will appear telling the victim to allow editing and enable content because “this document was created in an earlier version of Microsoft Office Word.” If the victim follows these steps, the malicious code can be executed.
Once TrickBot is installed, it will proceed to gather various information from the compromised computer. It will then attempt to spread laterally throughout a network to gather as much data as it can.
TrickBot can download various modules that perform specific behaviors such as stealing cookies, user credentials, OpenSSH keys, stealing the Active Directory Services database, as well as spreading to other computers. After infecting the network, the malware will eventually run PowerShell Empire or Cobalt Strike to give the Ryuk Ransomware actors access to the infected computer. Once they have access to the computer, they can begin to encrypt all the files. This is why this attack is so dangerous as it uses two different attacks.
If you are concerned about Coronavirus, visit official websites of organizations such as The World Health Organization. Official government correspondence will never be via unsolicited emails, and they will never ask you to open an attachment (especially a Word document) for important information.