A new organized spam e-mail campaign it taking place, attempting to spread the TrickBot malware, researchers with IBM X-Force warn. The fake e-mails are formatted and worded so that they look like legitimate Labor Department correspondence and the text concerns changes to the Family and Medical Leave Act.
This new spam campaign is once again propping itself up on the ongoing COVID-19 anxiety surrounding the virus and the economic situation all over the world. The legislation mentioned in the fake emails, deals with the possibility to use up to 12 weeks of unpaid leave under specific circumstances. The specific benefits one can use under the act were changed after President Trump signed a new legislative act called Families First Coronavirus Response Act.
The hackers made sure that their fake e-mails look reasonably convincing, including imagery and logos from the Labor Department, as well as excerpts from some of the Department’s official web pages. The malicious e-mails contain three attachments – one is called "Family and Medical Leave of Act 22.04.doc" and the other two are .png images. The image files are harmless but the document contains the expected malicious macros that deliver the payload. The bait that should get victims to open the attachment is the promise of additional important information that is not available before macros are enabled.
Traces to Previous TrickBot Activity
Even though the particular tests carried out by IBM researchers showed that even after enabling macros, the malware failed to connect to its command and control servers and download an actual instance of TrickBot, the campaign is linked to this particular malware due to how the document macros operate. Additionally, an IP address related to the C&C server was previously used in by the bad actors responsible for TrickBot.
TrickBot itself has grown from a Trojan that scrapes banking credentials into a more diverse and sophisticated platform that can also deliver additional malware, including ransomware payloads.