Trickbot malware is using these unique 'macro-laced' document attachments with a coronavirus theme

Microsoft Security Intelligence warns that there's been a large uptick in Covid-19 themed lures in phishing attacks by this one malware operation in recent days.
Written by Danny Palmer, Senior Writer

The gang behind the Trickbot malware is at the forefront of attempts to use the ongoing coronavirus crisis to trick computer users into downloading malware onto their devices.

Microsoft's Security Intelligence team said that during last week alone, the operation behind Trickbot sent out hundreds of emails purporting to relate to COVID-19 medical advice and testing, each with the aim of installing Trickbot malware via unique "macro-laced" malicious document attachments inside the message.

One of the most notorious malware families in existence, Trickbot started life as a banking trojan but has been re-purposed to become one of the most advanced and capable forms of delivering malware around today.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

This includes the delivery of keyloggers, trojans and ransomware onto compromised computers, as well as the ability to maintain persistence on infected machines. It can also allow hackers to move around infected networks via the EternalBlue vulnerability, as well as operating with botnet-like capabilities to help further the spread of infections.

The latest Trickbot attacks come in the form of phishing emails claiming to be from volunteer and humanitarian groups offering COVID-19 testing. They claim that the victim can get more information about this by downloading an attached document – which in this case is an information-stealer.

Like other recent Trickbot campaigns, the macro waits twenty seconds before downloading the payload in an effort to evade detection or analysis.

As the coronavirus pandemic continues, cyber criminals and state-sponsored hacking operations have increasingly taken to using it as a lure to infiltrate networks or to steal personal information or banking details from individual users – especially as the increase in remote working has potentially left people more open to attacks.

SEE: Coronavirus: Business and technology in a pandemic

Security bodies including the UK's National Cyber Security Centre (NCSC) and the US Department of Homeland Security (DHS) have warned about the rise in coronavirus-related cyberattacks as well as offering security advice and information on how to detect potentially suspicious emails.

It's also worth remembering that medical groups such as the World Health Organisation won't email individuals out of the blue to offer them a free test, nor will any of these bodies ask users to click on a link to enter bank details or other personal information.


Editorial standards