COVID-19 Phishing Emails Mainly Contain TrickBot: MicrosoftPhishing Campaigns Up Since the Onset of Pandemic
TrickBot is the malware most commonly distributed in phishing emails that use the COVID-19 pandemic as a lure to entice victims to open up attached files or malicious links, according to Microsoft.
The Microsoft Security Intelligence analysis is based on data from the company's Office 365 Advanced Threat Protection. In a series of tweets last week, Microsoft's security analysts note that in recent days, they found "several hundred" unique macro-laced document attachments in phishing emails that pose as a message from a nonprofit offering a free COVID-19 test. These all contained TrickBot malware.
Based on Office 365 ATP data, Trickbot is the most prolific malware operation using COVID-19 themed lures. This week's campaign uses several hundreds of unique macro-laced document attachments in emails that pose as message from a non-profit offering free COVID-19 test. pic.twitter.com/V2JcZg2kjt— Microsoft Security Intelligence (@MsftSecIntel) April 17, 2020
Earlier this month, Rob Lefferts, vice president of Microsoft 365 Security, noted attackers using Trickbot malware have been "very active and rebranding their lures to take advantage of the outbreak." In the same blog post, Lefferts said that the company's researchers spotted 76 threat variants using COVID-19 themed lures, with TrickBot malware showing up often.
In its tweets, Microsoft warns that in the TrickBot campaigns its researchers have observed, the malicious macros in the phishing emails use a 20-second delay before delivering the final payload, which enables the malware to evade emulation or sandbox analysis.
While TrickBot started out as a banking Trojan that can steal data, the malware has been updated to work as a downloader that delivers other malicious code, such as ransomware. Security analysts have also observed other campaigns where TrickBot is combined with other malware, such as Emotet and Ryuk (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').
COVID-19 As Lure
The U.K. National Cyber Security Center and the U.S. Cybersecurity Infrastructure and Security Agency issued a joint statement earlier this month noting that cybercrime groups and nation-state hacking gangs were using the COVID-19 pandemic to further their goals (see: UK and US Security Agencies Sound COVID-19 Threat Alert).
And while many of these phishing campaigns have spread information stealers, such as AgentTesla, Netwire and LokiBot, Microsoft and other security firms note increases in TrickBot malware as well.
For example, the shift to telework due to COVID-19 has raised the risk of exposing home networks now used for business to Trickbot and Mirai malware, according to the security firm BitSight (see: Malware Risk Higher for Those Working at Home: Report).
In an April 16 report, Google noted that over the course of a week, the company observed 18 million daily malware and phishing emails related to COVID-19 that targeted Gmail users. This was in addition to more than 240 million COVID-19-related daily spam messages.
Google reported observing phishing emails that were disguised as messages from the World Health Organization asking for donations. Researchers found that these messages typically contained malware that attempted to install backdoors within infected devices. Other phishing emails were designed to target at-home workers or contained malicious messages about government stimulus checks.