The Truth Behind Trump’s ‘Covid-19 Dossier’—Notorious Hacking Group Targets Curiosity
Security researchers reveal the truth behind Trump Covid-19 dossier
Everyone wants to know more about the president’s medical condition, but you shouldn’t be tempted to read this particularly dangerous dossier.
Cybercriminals have just as much of an interest in the health of President Trump as anyone else, albeit for entirely malicious reasons. Given that the world’s media has been focused on Trump’s positive Covid-19 test and the drama that has ensued for a week now, it’s surprising that hackers have taken so long to start their nefarious campaigns.
But start they have: here’s what you need to know to avoid your computers getting infected.
Security researchers from email security vendor Proofpoint have reported that a phishing campaign leveraging President Trump’s ongoing health issues has been spotted in the wild.
This particular campaign appears to be targeting organizations based in the U.S. and Canada. The geography aims to make the most of the heightened interest as the presidential elections fast approach.
Recommended For You
However, the enterprise targets tie in with the payload being malware called BazarLoader, a backdoor Trojan that ultimately leads to network compromise by way of a well-established ransomware threat.
Although Proofpoint has not been able to firmly attribute the threat actor behind the Trump health phishing campaign, permit me to suggest that the clues are all there.
The biggest being that BazarLoader is thought by many to be a malware weapon from the notorious hacking group behind Trickbot.
Trickbot itself, considered extremely dangerous malware, was first spotted in 2016 and already had strong links to the pandemic; it was the most prolific user of Covid-19 lures at the start of the crisis.
The lack of official information regarding many aspects of Trump’s medical condition has, in effect, given these notorious hackers an in. The email campaign uses three different variations on the same curiosity-inspired subject line:
- Recent material pertaining to the president’s illness
- Newest information about the president’s condition
- Newest info pertaining to president’s illness
All the emails, though, contain the same payload in the same format: that of documents, including as of yet unreported ‘inside’ information on the president’s medical condition, which you have to download by way of clicking on a link embedded in the message.
Who falls for that these days, you may be asking?
Truth be told, way too many people. The campaign uses as many emotional and psychological tricks as possible to ensure that they do. Beyond playing upon the curiosity factor of knowing what “they” aren’t telling you about Trump’s infection, the hackers also work hard to make you think everything will be just fine.
So, clicking on the link will prompt the user to open a Microsoft Word document on Google Docs that displays as having been scanned for malware and passed as safe.
It isn’t safe to hit the document download prompt, though, as there is no dossier, there is no document.
What there is, is a BazarLoader executable file that will install instead. That gives the cybercriminals remote access to the network, and the ultimate goal would appear to be installing Ryuk ransomware. The same Russian-linked ransomware that has previously successfully taken down government networks in North Carolina and New Orleans.
Proofpoint’s senior director of threat research and detection, Sherrod DeGrippo, says that the “shift towards using politically-themed lures has come just days after the first of several 2020 presidential debates; however, it’s unlikely that this shift is driven by any specific political ideology.”
Indeed, like the earlier use of Covid-19 lures, cybercriminals are just exploiting popular news topics that grab a nation’s interest. Or, as in the case of Trump’s infection, the world. “We’ve seen throughout the global Covid-19 situation that threat actors are able to adjust quickly to timely news and current events,” DeGrippo says, “their quick use of DNC-themed emails following last week’s presidential debate and their utilization of the president’s Covid-19 diagnosis demonstrates just how swiftly threat actors can tailor their email lures to focus on prominent events.”