COVID-19 , Cybercrime , Fraud Management & Cybercrime

COVID-19 Phishing Emails Mainly Contain TrickBot: Microsoft

Phishing Campaigns Up Since the Onset of Pandemic
COVID-19 Phishing Emails Mainly Contain TrickBot: Microsoft

TrickBot is the malware most commonly distributed in phishing emails that use the COVID-19 pandemic as a lure to entice victims to open up attached files or malicious links, according to Microsoft.

See Also: How to Build Your Cyber Recovery Playbook

The Microsoft Security Intelligence analysis is based on data from the company's Office 365 Advanced Threat Protection. In a series of tweets last week, Microsoft's security analysts note that in recent days, they found "several hundred" unique macro-laced document attachments in phishing emails that pose as a message from a nonprofit offering a free COVID-19 test. These all contained TrickBot malware.

Earlier this month, Rob Lefferts, vice president of Microsoft 365 Security, noted attackers using Trickbot malware have been "very active and rebranding their lures to take advantage of the outbreak." In the same blog post, Lefferts said that the company's researchers spotted 76 threat variants using COVID-19 themed lures, with TrickBot malware showing up often.

In its tweets, Microsoft warns that in the TrickBot campaigns its researchers have observed, the malicious macros in the phishing emails use a 20-second delay before delivering the final payload, which enables the malware to evade emulation or sandbox analysis.

While TrickBot started out as a banking Trojan that can steal data, the malware has been updated to work as a downloader that delivers other malicious code, such as ransomware. Security analysts have also observed other campaigns where TrickBot is combined with other malware, such as Emotet and Ryuk (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').

COVID-19 As Lure

The U.K. National Cyber Security Center and the U.S. Cybersecurity Infrastructure and Security Agency issued a joint statement earlier this month noting that cybercrime groups and nation-state hacking gangs were using the COVID-19 pandemic to further their goals (see: UK and US Security Agencies Sound COVID-19 Threat Alert).

And while many of these phishing campaigns have spread information stealers, such as AgentTesla, Netwire and LokiBot, Microsoft and other security firms note increases in TrickBot malware as well.

For example, the shift to telework due to COVID-19 has raised the risk of exposing home networks now used for business to Trickbot and Mirai malware, according to the security firm BitSight (see: Malware Risk Higher for Those Working at Home: Report).

In an April 16 report, Google noted that over the course of a week, the company observed 18 million daily malware and phishing emails related to COVID-19 that targeted Gmail users. This was in addition to more than 240 million COVID-19-related daily spam messages.

Phishing email disguised as WHO message (Source: Google)

Google reported observing phishing emails that were disguised as messages from the World Health Organization asking for donations. Researchers found that these messages typically contained malware that attempted to install backdoors within infected devices. Other phishing emails were designed to target at-home workers or contained malicious messages about government stimulus checks.

About the Author

Apurva Venkat

Apurva Venkat

Special Correspondent

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.