Cyber Crime

TrickBot targets Italy using fake WHO Coronavirus emails as bait

Crooks continue to exploit the attention on the Coronavirus (COVID-19) outbreak, TrickBot operators target Italian users.

A new spam campaign is targeting users in Italy by exploiting the interest on Coronavirus (COVID-19) in the attempt of delivering the TrickBot information-stealing malware.

Crooks are attempting to exploit the fear of users of becoming infected with the Coronavirus, experts at Sophos have uncovered a new spam campaign. Spam messages pretend to be from a doctor (Dr. Penelope Marchetti) at the World Health Organization (WHO), they have a subject of “Coronavirus: Informazioni importanti su precauzioni.”

“Spam targeting Italian e-mail addresses is playing on fears over the Coronavirus outbreak in that country.” reads the report published by Sophos.

“The e-mail carries a document purported to be a list of precautions to take to prevent infection. But the enclosed file is in fact a weaponized Word document, carrying a Visual Basic for Applications (VBA) script that carries a dropper used to deliver a new Trickbot variant.”

The message pretends to provide information about the COVID-19 and instruction for people that live in Italy to avoid contagion.

Below the text of the message in Italian:

Gentile Signore/Signora,

A causa del fatto che nella Sua zona sono documentati casi di infezione dal coronavirus, l'Organizzazione Mondiale della Sanità ha preparato un documento che comprende tutte le precauzioni necessarie contro l'infezione dal coronavirus. Le consigliamo vivamente di leggere il documento allegato a questo messaggio!

Distinti saluti, 
Dr. Penelope Marchetti (Organizzazione Mondiale della Sanità - Italia)

This translates to English as:


Dear Sir / Madam,

Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!

With best regards,
Dr. Penelope Marchetti (World Health Organization - Italy)

The messages include a Weaponized Word document that once opened will ask victims to click on the ‘Enable Content’ button to properly view the content of the message.

Once clicked on the button, the embedded macros will be executed and act as a dropper for a piece of the infamous Trickbot malware.

Below the sequence of actions triggered by enabling the macro:

  • It disgorges files encoded within the document to disk: a VBA macro file (vbaProject.bin), and several Word-related XML files. The macro, in turn, contains an obfuscated JavaScript (jse) file.
  • It connects back to a PHP script on a remote server (hxxps://185[.]234.73.125/wMB03o/Wx9u79.php in some samples) – passing the IP address and some basic details about the target as variables within an HTTP GET request.
  • It calls the macro file. While the macro script is obfuscated by code from legitimate VBA script, its actual function is to create the JavaScript dropper and a .bat batch file that executes the dropper with the Windows Script Host (WSH) command line tool, cscript.exe.”

TrickBot allows attackers to gather information from compromised systems, it also attempts to make lateral movements to infect other machines on the same network.

Then the attackers attempt to monetize their efforts by deploying the Ryuk Ransomware

“As with most viruses – digital or biological – this particular contagion can be prevented through good hygiene: Disable macros in Office applications for all but the most trusted documents, and train everyone in the organization what not to do with documents received via email.” concludes Sophos.

Sophos also shared Indicators of Compromise (IoC) for this threat.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

2 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

9 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

20 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.