Phishers commonly use lures claiming to provide further information on topics that are attracting a lot of media attention. At the start of the coronavirus pandemic, when there was little information about the virus, many phishing campaigns offered new information about the virus, updated figures on cases in the local area, information on how to protect against infection, and new cures.
Now, a new coronavirus-themed phishing campaign has been detected, this time claiming to provide inside information on President Trump’s health following is COVID-19 diagnosis. The President of the United States contracting COVID-19 was headline news around the world, especially following his hospitalization and conflicting news reports about the severity of the infection. It is therefore no surprise that phishers are taking advantage and are offering insider information on President Trump’s health.
Several phishing emails were identified by security researchers at Proofpoint, with the messages claiming to have important inside information on President Trump’s illness.
The emails have the subject lines:
- Newest info pertaining to president’s illness
- Newest information about the president’s condition
- Recent materials pertaining to the president’s illness
To view the information outlined n the emails, the recipient is required to click a hyperlink with the anchor text “Attached document”. The link directs the user to Google Docs where they are informed that the linked file has been scanned and found to be safe.
The message body explains that the file is encrypted and a password to open the file is provided. While the downloaded file appears to be a Word document; it is actually an executable file that installs a backdoor Trojan called BazarLoader.
The BazarLoader backdoor is believed to be used by the threat group behind the TrickBot Trojan. Once access has been gained to one device on the network using BazarLoader, the threat group will attempt to compromise the entire network. Data theft is likely and ultimately Ryuk ransomware is likely to be deployed.