TrickBot operators exploit COVID-19 as lures

Pierluigi Paganini May 02, 2020

IBM X-Force researchers spotted a new COVID-19-themed campaign spreading the infamous TrickBot trojan through fake messages.

IBM X-Force researchers uncovered a new COVID-19-themed campaign that is spreading the infamous TrickBot trojan through fake messages.

The spam messages pretend to be sent by the Department of Labor’s Family and Medical Leave Act (FMLA) and attempt to deliver the TrickBot trojan.

The fake messages inform people of changes to the FMLA (due to the COVID-19 pandemic), which allow employees to have the right to family-leave medical benefits, they include a weaponized attachment that acts as a dropper for the TrickBot malware.

“Recent analysis from our spam traps uncovered a new Trickbot campaign that currently targets email recipients with fake messages purporting to come from the U.S. Department of Labor (DoL).” reads the post published by IBM. “The spam leverages the Family and Medical Leave Act (FMLA), which gives employees the right to medical leave benefits, as context around COVID-19 in order to distribute the malware.”


TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. For example, in February 2019 Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.

In April, the analysis of Microsoft Office 365 ATP data revealed that TrickBot is, at the moment, the malware operation with the highest number of unique COVID-19-themed malicious emails and attachments.

The TrickBot Trojan allows crooks to takeover bank accounts and to conduct high-value wire fraud, it also employed in ransomware attacks targeting organizational networks.

“In the spam samples we looked at, the eventual TrickBot payload started out in a DocuSign-type attachment titled Family and Medical Leave of Act 22.04.doc.” continues the analysis. “Once opened, the document asks the recipient to enable macros (ThisDocument.cls), from which, upon closing the file, malicious scripts will be launched to fetch the malware from the attacker’s designated domain.”

Even if the samples observed by the IBM X-Force experts failed to actually download their intended payload, researchers speculate they were used to deliver the TrickBot trojan based on observation of similar patterns in previous TrickBot campaigns, “the “Macro on Close” function followed by the DocuSign theme has been a tactic used by this malware’s distributors.”

The macro first creates a local directory C:\Test, then drops and executes a batch file, terop.bat.

Another evidence of the involvement of TrickBot is the use of the IP address, which was previously linked with hosting TrickBot campaigns, However,

However, experts could exclude that malware is being distributed by the same threat actors, and that the final payload is possibly different.

This campaign demonstrates that threat actors continue to attempt to take advantage of the current COVID-19 pandemic.

“As the COVID-19 pandemic continues to hold the attention of people everywhere in an unprecedented manner, we are sure to continue seeing the use of this theme in endless amounts of spam and attacks targeting users across the globe.” concludes IBM.

“The current spam is likely an early warning to those expecting to take advantage of the FMLA during the pandemic to be on the lookout for malicious campaigns,” Via and his co-authors wrote. “TrickBot spam varies frequently depending on those distributing it, and the issues we detected in the macro scripts are likely to be fixed and relaunched in further spamming activity.”

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – COVID-19, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment