Spammers in a new email campaign are targeting users in Italy by exploiting the outbreak of the Coronavirus (COVID-19), attempting to steal information through phishing scams or to lure users into downloading a different kind of virus.
The malware-laced message carries false advice and a hidden threat, so widely emailed that it instantly reached a staggering 10% of the organizations in Italy. The emails pretend to be the latest updates on the Coronavirus disease outbreak.
These spam messages pretend to be from a doctor (Dr. Penelope Marchetti) at the World Health Organization (WHO) and they have a subject of “Coronavirus: Important information on precautions.”
“Spam targeting Italian e-mail addresses is playing on fears over the Coronavirus outbreak in that country.” reads the report published by Sophos who has uncovered the campaign.
“The e-mail carries a document purported to be a list of precautions to take to prevent infection. But the enclosed file is, in fact, a weaponized Word document, carrying a Visual Basic for Applications (VBA) script that carries a dropper used to deliver a new Trickbot variant.”
Dear Sir / Madam, Since cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message! With best regards, Dr. Penelope Marchetti (World Health Organization – Italy)
The messages include a Word document that once opened will ask victims to click on the ‘Enable Content’ button to properly view the content of the message.
Once clicked on the button, the embedded macros will be executed and act as a dropper for a piece of the Trickbot malware.
Trickbot is primarily used to steal confidential information from victims, but once installed on a machine, it can also be used as a surrogate for installing other forms of malware.
“As with most viruses – digital or biological – this particular contagion can be prevented through good hygiene: Disable macros in Office applications for all but the most trusted documents, and train everyone in the organization what not to do with documents received via email.” concludes Sophos.
Cybersecurity firm Check Point announced that over 4,000 coronavirus-related domains have been registered since the beginning of 2020. Of those, 3 percent were considered malicious and another 5 percent were suspicious.
More on Coronavirus malware: Coronavirus malware targets thousands worldwide