In the last 24 hours, SophosLabs has uncovered a new email spam attack targeting Italians with a document containing a macro loaded with Trickbot malware. The email takes advantage of COVID-19 fears by offering up a clickable document that allegedly includes a list of precautions to take to prevent infection. Unfortunately, the document is weaponized.
According to SophosLabs, the COVID-19 twist to the spam message may be new, but the mechanisms used to deliver it (including the spam “bots” that send the message, the enclosed scripted Word document and the JavaScript dropper) are similar or identical to those used in Trickbot campaigns that have been active for at least six months.
“The cybercriminals behind Trickbot are likely skilled attackers who leverage the concern of the day to scare people into clicking. While this is in Italy now, we would expect a similar attack in other countries where fears of COVID-19 outbreaks are high. The best approach to avoid this type of cyberattack is to turn off macros, be extra cautious about what you click, and delete email that is suspicious or from an unexpected source,” said Chester Wisniewski, principal research scientist, Sophos. “Whenever there is a topic of public interest like COVID-19 or the Australian bush fires, we see cybercriminals try to manipulate our concern into an opportunity. We must stay vigilant and be distrustful of incoming communications during times of crisis and only obtain advice from our public health authorities.”
