Microsoft Security Intelligence has revealed that the TrickBot malware is being spread via a new phishing campaign that exploits the current COVID-19 crisis. The campaign offers fake virus advice and testing, installing the malware via ‘macro-laced’ malicious attachments.
Based on Office 365 ATP data, Trickbot is the most prolific malware operation using COVID-19 themed lures. This week’s campaign uses several hundreds of unique macro-laced document attachments in emails that pose as message from a non-profit offering free COVID-19 test. pic.twitter.com/V2JcZg2kjt
— Microsoft Security Intelligence (@MsftSecIntel) April 17, 2020
The sad reality is that the COVID-19 situation offers even the most sophisticated APT groups the chance to execute phishing attacks that exploit the current crisis. TrickBot is no different. This sophisticated crimeware adapts quickly to the current situation and seizes the moment to ensure attack success. It’s also particularly nasty: once it’s on a user’s device, TrickBot tries to compromise the user’s SSH keys, which grant its operators control to a businesses’ sensitive information.
SSH machine identities automate control over all manner of systems from datacentres to cloud environments. Stealing them gives the attackers control and gives them the power to create long term access since SSH keys don’t expire and most organisations – even those with sophisticated defences – never change them.
This phishing campaign is a grim reminder that unless businesses have visibility over all their SSH keys in use across the datacentre and cloud, and automated processes in place to change them, these methods and the increasing theft of SSH keys will only continue.