Phishing Email Imitates DOL in Attempt to Deliver TrickBot

Summary

Global cybersecurity firms, as well as the NJCCIC, continue to observe various COVID-19 and financial relief-themed phishing campaigns. A new TrickBot campaign has been observed attempting to deliver malware through phishing emails claiming to be from the US Department of Labor (DOL). The phishing email claims to contain information regarding specific changes to the Family and Medical Leave Act (FMLA), further requesting the recipient to complete an attached DocuSign form. If the form is opened, the recipient is asked to enable macros, which will allow malicious scripts to be launched upon the form’s closure – a common technique used in other TrickBot campaigns. Additionally, the malicious script calls back to a known TrickBot IP address used as a command and control server in an attempt to download malware, though some downloads were unsuccessful as discovered by IBM X-Force researchers.

Recommendations

The NJCCIC reminds users to exercise caution with COVID-19 and relief-themed emails. We also advise users to be cautious with attachments, avoid enabling macros, and keep applications up to date. Additional information can be found in the Security Intelligence article.