Crooks are attempting to exploit the fear of users of becoming infected with the Coronavirus, experts at Sophos have uncovered a new spam campaign. Spam messages pretend to be from a doctor (Dr. Penelope Marchetti) at the World Health Organization (WHO), they have a subject of “Coronavirus: Informazioni
“Spam targeting Italian e-mail addresses is playing on fears over the Coronavirus outbreak in that country.” reads the report published by Sophos.
“The e-mail carries a document purported to be a list of precautions to take to prevent infection. But the enclosed file is in fact a
Below the text of the message in Italian:
Gentile Signore/Signora, A causa del fatto che nella Sua zona sono documentati casi di infezione dal coronavirus, l'Organizzazione Mondiale della Sanità ha preparato un documento che comprende tutte le precauzioni necessarie contro l'infezione dal coronavirus. Le consigliamo vivamente di leggere il documento allegato a questo messaggio! Distinti saluti, Dr. Penelope Marchetti (Organizzazione Mondiale della Sanità - Italia)
This translates to English as:
Dear Sir / Madam, Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message! With best regards, Dr. Penelope Marchetti (World Health Organization - Italy)
The messages include a Weaponized Word document that once opened will ask victims to click on the ‘Enable Content’ button to properly view the content of the message.
Once clicked on the button, the embedded macros will be executed and act as a dropper for a piece of the infamous Trickbot malware.
Below the sequence of actions triggered by enabling the macro:
TrickBot allows attackers to gather information from compromised systems, it also attempts to make lateral movements to infect other machines on the same network.
Then the attackers attempt to monetize their efforts by deploying the Ryuk Ransomware
“As with most viruses – digital or biological – this particular contagion can be prevented through good hygiene: Disable macros in Office applications for all but the most trusted documents, and train everyone in the organization what not to do with documents received via email.” concludes Sophos.
Sophos also shared Indicators of Compromise (IoC) for this threat.
(SecurityAffairs – hacking, Coronavirus)