Crooks continue to exploit the attention on the Coronavirus (COVID-19) outbreak, TrickBot operators target Italian users.

A new spam campaign is targeting users in Italy by exploiting the interest on Coronavirus (COVID-19) in the attempt of delivering the TrickBot information-stealing malware.

Crooks are attempting to exploit the fear of users of becoming infected with the Coronavirus, experts at Sophos have uncovered a new spam campaign. Spam messages pretend to be from a doctor (Dr. Penelope Marchetti) at the World Health Organization (WHO), they have a subject of “Coronavirus: Informazioni importanti su precauzioni.”

“Spam targeting Italian e-mail addresses is playing on fears over the Coronavirus outbreak in that country.” reads the report published by Sophos.

“The e-mail carries a document purported to be a list of precautions to take to prevent infection. But the enclosed file is in fact a weaponized Word document, carrying a Visual Basic for Applications (VBA) script that carries a dropper used to deliver a new Trickbot variant.”

The message pretends to provide information about the COVID-19 and instruction for people that live in Italy to avoid contagion.

Below the text of the message in Italian:

Gentile Signore/Signora, A causa del fatto che nella Sua zona sono documentati casi di infezione dal coronavirus, l'Organizzazione Mondiale della Sanità ha preparato un documento che comprende tutte le precauzioni necessarie contro l'infezione dal coronavirus. Le consigliamo vivamente di leggere il documento allegato a questo messaggio! Distinti saluti, Dr. Penelope Marchetti (Organizzazione Mondiale della Sanità - Italia)

This translates to English as:

Dear Sir / Madam, Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message! With best regards, Dr. Penelope Marchetti (World Health Organization - Italy)

The messages include a Weaponized Word document that once opened will ask victims to click on the ‘Enable Content’ button to properly view the content of the message.

Once clicked on the button, the embedded macros will be executed and act as a dropper for a piece of the infamous Trickbot malware.

Below the sequence of actions triggered by enabling the macro:

It disgorges files encoded within the document to disk: a VBA macro file (vbaProject.bin), and several Word-related XML files. The macro, in turn, contains an obfuscated JavaScript (jse) file.

It connects back to a PHP script on a remote server (hxxps://185[.]234.73.125/wMB03o/Wx9u79.php in some samples) – passing the IP address and some basic details about the target as variables within an HTTP GET request.

It calls the macro file. While the macro script is obfuscated by code from legitimate VBA script, its actual function is to create the JavaScript dropper and a .bat batch file that executes the dropper with the Windows Script Host (WSH) command line tool, cscript.exe.”

TrickBot allows attackers to gather information from compromised systems, it also attempts to make lateral movements to infect other machines on the same network.

Then the attackers attempt to monetize their efforts by deploying the Ryuk Ransomware

“As with most viruses – digital or biological – this particular contagion can be prevented through good hygiene: Disable macros in Office applications for all but the most trusted documents, and train everyone in the organization what not to do with documents received via email.” concludes Sophos.

Sophos also shared Indicators of Compromise (IoC) for this threat.

Pierluigi Paganini

(SecurityAffairs – hacking, Coronavirus)