Fake Labor Department Emails Designed to Spread TrickBotIBM: Spam Leverages Interest in Family and Medical Leave Act
In an apparent attempt to spread TrickBot malware, cybercriminals are sending fake emails designed to look like notifications from the Labor Department concerning changes to the Family and Medical Leave Act, according to IBM X-Force.
As a result of the COVID-19 pandemic, there’s growing interest in the Act, which can provide up to 12 weeks of unpaid leave for employees who are ill or need to care for someone with a serious medical condition. Benefits from the program increased in March when President Donald Trump signed the Families First Coronavirus Response Act, according to U.S. News and World Report.
"Spam purporting to come from official and government entities has been increasing considerably during the COVID-19 pandemic, with cybercriminals developing spam to match trending news, developments, merchandise and initiatives surrounding the outbreak as a means to deliver unsolicited emails that attract recipients to open and launch attachments," Ashkan Vila, a security analyst with IBM X-Force, notes in the report.
The spam messages that IBM researchers uncovered not only use official-looking logos and images from the Labor Department, but also borrow from the wording contained in the department's FAQ and "Contact Us" sites, according to the report.
These messages contain three attachments - two PNG image files as well as what appears to be a DocuSign document called: "Family and Medical Leave of Act 22.04.doc."
While two image attachments are benign, the DocuSign-type attachment contains malicious macros that are designed to deliver the malware.
Victims are enticed to open that document because it’s portrayed as containing more information about changes to the Family and Medical Leave Act, according to IBM. To read the document, the victim is asked to enable macros. Once those are enabled, malware is installed on the device and then calls a command-and-control server, which eventually is supposed to attempt to install TrickBot, according to IBM.
In the examples that IBM researchers found, however, Trickbot failed to deploy after the command-and-control server was contacted. Nevertheless, the researchers believe the spam emails are part of a TrickBot campaign because of how the macros work to install the malware. Plus, an IP address connected with the command-and-control server has been previously associated with the operators of this malware, according to the report.
The IBM report notes that these spam emails appear to have stopped around April 22.
While TrickBot started out in 2016 as a banking Trojan that can steal data, the malware has been updated to work as a downloader that delivers other malicious code, such as ransomware. Security analysts have also observed other campaigns in which TrickBot is combined with other malware, such as Emotet and Ryuk (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').
Microsoft researchers say TrickBot is the malware most commonly distributed in phishing emails that are using the healthcare crisis as a lure to entice victims to open up attached files or malicious links (see: COVID-19 Phishing Emails Mainly Contain TrickBot: Microsoft).