SpiderLabs Blog

TrickBot Disguised as COVID-19 Map

Written by Diana Lopera | Jun 18, 2020 11:01:00 AM

Cybercriminals are continuously exploiting the Coronavirus (COVID-19) pandemic. In our quest to monitor the COVID-19 related spams, we recently spotted one interesting campaign which uses an unusual email attachment to deliver TrickBot malware.

Figure 1: The spam campaign flow

 

The Road to TrickBot

The email, claiming to be from a volunteer organization which helps with those seeking COVID-19 financial aid, entices the email recipient to open the attachments – fake COVID-19 forms.

 

Figure 2: Trustwave Security Email Gateway displaying a recent COVID-19 spam

 

The attachments are Java Network Launch Protocol (JNLP) files. JNLP files are XML formatted files which can be used to launch java programs hosted on a remote server to the client machine. If the client machine has Java Runtime Environment (JRE) installed, JNLP files can be executed via a double click, as JRE includes the technology Java Web Start which can run such files.

In Figure 2, the two JNLP attachments are identical. Once executed, they will download and run the java program “map.jar” hosted at “http[s]://mapcovid[.]net” – a second stage downloader disguised as COVID-19 "Map" java program.

 

Figure 3: The attachment SARS-2_Form.jnlp, a fake COVID-19 form, is a downloader
 
Figure 4: The second stage downloader “map.jar” will download and execute the main malware “map.exe”

 

The downloaded file “map.jar” will launch the World Health Organization’s (WHO) “Q&A on coronaviruses (COVID-19)” webpage to cover up its malicious behavior – the downloading and installation of the main malware. This malware, concealed as a COVID-19 “Map” executable, will be downloaded from “http[s]://basecovid[.]com/map[.]exe” then saved and executed as %appdata%/map.exe.

The second downloaded file “map.exe” is the modularized banking trojan called TrickBot. This malware is prominent nowadays due to its wide range of functionalities: stealing information, downloading of other malwares, spam emails, etc.

The TrickBot %appdata%/map.exe will be automatically executed via the Execute() function of “map.jar”. Once run, it will create its installation folder SpotifyMusic at the Startup folder then drop a copy of itself. It will also create an encrypted file “settings.ini” – that contains the configuration of the TrickBot.

 

Figure 5: Installation path of the downloaded TrickBot
 
Figure 6: Decrypted TrickBot configuration

 

The decrypted TrickBot configuration contains vital information which will be used during the communication of the TrickBot executable to the C&Cs. It includes the version of the currently installed “map.exe” and its group tag <gtag>, the list of IP addresses of the C&Cs, and the first module to be downloaded by “map.exe”.

Figure 7: The memory dump of TrickBot “map.exe” showing the first request to its C&C

 

Summary

Malware authors are continuously taking advantage the COVID-19 pandemic in their spams. Like other cybercriminals, the threat actors behind this TrickBot malware are unleashing their creativity on crafting the initial arrival vector of their malware. Often, we observe TrickBot being delivered as payloads of malicious document attachments, particularly macro downloaders. This is the first time we have witnessed TrickBot use JNLP files as downloaders. In fact, the use of JNLP files as email attachments, to deliver malware, is not common.

It’s likely we shall see more of this kind of threat. We would recommend blocking *.jnlp files at your email gateway. We have added protections for this threat to the Trustwave Secure Email Gateway for our customers.

 

IOCs

SARS-2_Form.jnlp    SHA1: 46576bfebaecaacc4600bba429016b0713238f52
map.jar    SHA1: 0068154fbc4374642ebe50ac4f822c64b45635c8
map.exe    SHA1: 55b031294ff24919547cfcb4fd4f10a02902ce3b