Trickbot is the most prolific malware operation using COVID-19 themed lures

Pierluigi Paganini April 18, 2020

TrickBot is the malware that most of all is involved in COVID-19-themed attacks, Microsoft’s Office 365 Advanced Threat Protection (ATP) data reveals.

The analysis of Microsoft Office 365 ATP data revealed that TrickBot is, at the moment, the malware operation with the highest number of unique COVID-19-themed malicious emails and attachments.

Microsoft experts revealed that this campaign observed this week uses several hundreds of unique weaponized attachments in emails that pose as a message from a non-profit offering free COVID-19 test.

Upon opening the documents, victims are tricked into enabling the macros that use a delay before downloading the malicious payloads to evade sandbox analysis and emulation.

Despite threat actors are exploiting the current coronavirus pandemic to target users, last week Microsoft reported it hasn’t observed any spike in malware activity in this period, it only observed a change of lures.

“Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. This means we’re seeing a changing of lures, not a surge in attacks.” reads the report published by Microsoft.

“The trendy and pervasive Trickbot and Emotet malware families are very active and rebranding their lures to take advantage of the outbreak. We have observed 76 threat variants to date globally using COVID-19 themed lures (map below).”

Microsoft tracks thousands of phishing campaigns every week, the company revealed that of the millions of targeted messages observed only roughly 60,000 use the Coronavirus as a lure, it represents less than two percent of the total malspam traffic.

Crooks are adapting the templates of their malspam campaigns using COVID-19-related topics and subjects.

Last week the tech giant claimed it has spotted 76 threat variants globally using COVID-19 themed lures, most of them related to TrickBot malware operations.

Earlied March, while the COVID-19 outbreak exploded in Italy, a new spam campaign was targeting users in the same country. Crooks started exploiting the interest on Coronavirus (COVID-19) in the attempt of delivering the TrickBot information-stealing malware.

Experts at Sophos uncovered a new spam campaign, messages were pretending to be from a doctor (Dr. Penelope Marchetti) at the World Health Organization (WHO), they have a subject of “Coronavirus: Informazioni importanti su precauzioni.”

TrickBot allows attackers to gather information from compromised systems, it also attempts to make lateral movements to infect other machines on the same network.

Then the attackers attempt to monetize their efforts by deploying other payloads, like the Ryuk Ransomware

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – COVID-19, Trickbot)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment