Fake US Department of Labor Tricks Users

5778302894?profile=RESIZE_400xCyber-criminal and using the Corona Virus pandemic to spread the TrickBot malware.  These underhanded hackers are sending fake emails designed to look like notifications from the US Department of Labor concerning changes to the Family and Medical Leave Act (FMLA), which can provide up to 12 weeks of unpaid leave for employees who are ill or need to care for someone with a serious medical condition.  Benefits from FMLA increased in March 2020 when US President Trump signed the Families First Coronavirus Response Act.

"Spam purporting to come from official and government entities has been increasing considerably during the COVID-19 pandemic, with cybercriminals developing spam to match trending news, developments, merchandise and initiatives surrounding the outbreak as a means to deliver unsolicited emails that attract recipients to open and launch attachments," Ashkan Vila, a security analyst with IBM X-Force, notes in a recent report.[1]

Pic: Spam message that appears to come from the US Department of Labor (Source: IBM)

Spam messages that IBM researchers uncovered not only use official-looking logos and images from the US Department of Labor, but also borrow from the wording contained in the department's FAQ and "Contact Us" sites.  These fake messages contain three attachments, two PNG image files as well as what appears to be a DocuSign document called: "Family and Medical Leave of Act 22.04.doc."

While two image attachments are nonthreatening, the DocuSign-type attachment contains malicious macros that are designed to deliver the malware.  This can be one of the first steps to installing ransomware into an unsuspecting organizations servers and, or networks.

Victims are enticed to open that document because it is portrayed as containing more information about changes to the FMLA.  To read the document, the victim is asked to enable macros.  Once those are enabled, malware is installed on the device and then calls a command-and-control server, which eventually is supposed to attempt to install TrickBot. 

In the examples that IBM researchers found, however, Trickbot failed to deploy after the command-and-control server was contacted.  Nevertheless, the researchers believe the spam emails are part of a TrickBot campaign because of how the macros work to install the malware.  Plus, an IP address connected with the command-and-control server has been previously associated with the operators of this malware, according to the report.  IBM notes these spam emails appear to have stopped around 22 April 2020.

TrickBot Morphs

While TrickBot started out in 2016 as a banking Trojan that can steal data, the malware has been updated to work as a downloader that delivers other malicious code, such as ransomware.  Cyber threat analysts recently uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components.  TrickBot is a module-based malware that, while first identified as a banking trojan, has gradually extended its functions to include collecting credentials from a victim’s emails, browsers, and installed network apps. The malware has also evolved to send spam to victim email lists, adopt new detection evasion methods and act as a delivery vehicle for other malware.  More recently, the operators behind the malware appear to be upgrading their anti-detection methods.

Ransomware attacks, a very real threat to many businesses, are usually the result of a network becoming infected with the TrickBot Trojan first, which is usually installed through malicious attachments in phishing emails.  TrickBot is an information-stealing Trojan that will steal data from an infected computer and then attempt to spread laterally through the network.  After harvesting all valuable data from a network, it then proceeds to open a shell back to the ransomware actors who will then proceed to harvest data from the network as well and gain administrator credentials.  This is not good.  After the ransomware has infected all devices on the network, the ransom payment demands begin.  And the threats to release confidential data.  This is really not good.

The new TrickBot variant works in a victim’s machine quickly.  The technologies it uses to perform anti-analysis, as well as how the payload of TrickBot communicates with its command and control server to download the modules has been upgraded.  This is one more example of how cyber threat actors are trying to stay ahead of cyber defenders.  Researchers discovered the latest variant in a malicious Word document, which they believe is part of a phishing campaign.  When the malicious Word document is opened, it asks the victim to “Enable Content,” which then executes a malicious Macro (in VBA code).  The VBA code then extracts a file (“C:\AprilReport\List1.jse”) which eventually runs a huge JavaScript file called “List1.jse.”

Red Sky Alliance has been has analyzing and documenting similar cyber threats for 8 years and maintains a resource library of malware and cyber actor reports.  Please feel free to contact our analyst team for research assistance.

What can you do to better protect your organization today?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network, which now includes ransomware coverage.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending attacks.   Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.  Red Sky Alliance is in New Boston, NH   USA.     We   are   a   Cyber   Threat   Analysis   and   Intelligence Service organization.     For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Reporting:      https://www.redskyalliance.org/
Website:         https://www.wapacklabs.com/
LinkedIn:        https://www.linkedin.com/company/wapacklabs/
Twitter:           https://twitter.com/wapacklabs?lang=en


[1] https://www.bankinfosecurity.com/fake-labor-department-emails-designed-to-spread-trickbot-a-14223/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!