Skip to main content

Nasty Trickbot malware exploits people’s Coronavirus fears

(Image credit: Shutterstock)

Malicious hackers are using people’s fear of the Coronavirus to spread malware, known as Trickbot, by emailing an official-looking message that claims to contain a document listing some helpful precautions. Instead, it contains an infected Word document.

The email has been sent to Italian email addresses. Italy has been one of the most affected countries by Coronavirus, and the spam emails are preying on its residents’ understandable concern about the disease.

The emails contain the subject line “coronavirus: informazioni importanti su precauzioni” and claim to be sent by “Dr. Penelope Marchetti”. 

It then goes on to warn, in Italian, that “due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!”.

Malware-infested document 

If recipients open the Word document, the document tries to run a macro, which is a programmable series of inputs in a program. Usually, macros can be used to make shortcuts for more complex commands in certain programs, but attackers can use macros to run malicious programs and code.

According to security firm Sophos, which detected the threat, when the Word document is opened, a VBA macro file (vbaProject.bin), and several Word-related XML files are placed on the victim’s hard drive, and these connect to a PHP script on a remote server, which passes information about the PC, and downloads a malicious virus onto it.

This is the screen that appears when victims open the email attachment

This is the screen that appears when victims open the email attachment (Image credit: Sophos)

If a user has macros disabled in Microsoft Word, then a message is displayed asking the victim to enable editing and enable content because “this document was created in an earlier version of Microsoft Office Word.” If the victim follows these steps, it allows the malicious code to be run.

As Sophos points out, this malware has been doing the rounds before, but used spam emails that tried to trick people into opening the document, as it had information about credit cards or loans.

Unfortunately, the malicious users have realized that preying on people’s Coronavirus fears is a more effective way to trick people into opening the document.

Even though the emails are targeting Italians, it’s likely people in other countries could be targeted as Coronovirus spreads.

Stay safe

To make sure you don’t fall victim to this scam, or a similar one, there are certain precautions you should take.

First of all, never open an unsolicited email from someone you don’t recognise, and especially do not open any attachments to those emails.

If you are concerned about Coronavirus, visit official websites of organisations such as The World Health Organization. Official government correspondence will never be via unsolicited emails, and they will never ask you to open an attachment (especially a Word document) for important information.