COVID-19 Phishing Email Campaign Contains TrickBot Malware
TrickBot is the most commonly distributed malware in phishing emails that use the COVID-19 pandemic to entice victims to open up attached files or malicious links, according to Microsoft. The Microsoft Security intelligence analysis is based on data from the company's Office 365 Advanced Threat Protection. Microsoft's Security analysts found that in recent days, several hundred unique macro-laced document attachments in phishing emails that pose as a message from a nonprofit offering a free COVID-19 test. These all contained TrickBot malware.
Rob Lefferts, vice president of Microsoft 365 Security, found that hackers using Trickbot malware have been very active and re-tasking their lures to take advantage of the outbreak. Microsoft's researchers spotted 76 threat variants using COVID-19 themed lures, with TrickBot malware showing up often. Microsoft warns that in the TrickBot campaigns observed, the malicious macros in the phishing emails use a 20-second delay before delivering the payload, which enables the malware to evade emulation or sandbox analysis.
While TrickBot started out as a banking Trojan that can steal data, the malware has been updated to work as a downloader that delivers other malicious code, such as ransomware. Security analysts have also observed other campaigns where TrickBot is combined with other malware, such as Emotet and Ryuk.
The shift to telecommuting due to COVID-19 has raised the risk of exposing home networks now used for business to Trickbot and Mirai malware, according to the security firm BitSight. In an April 16 report, Google found that over the course of a week, the company observed 18 million daily malware and phishing emails related to COVID-19 that targeted Gmail users. This was in addition to more than 240 million COVID-19-related daily spam messages.