No surprise that criminals are using Coronavirus/COVID-19 as a way to trick people into opening nasty Word document that could infect your computer.
All the usual suspects are trying to take advantage of Coronavirus to sell stuff. Plenty of fake ‘cures’ being touted, usually existing ‘miracles’ rebadged to take advantage of the unwary.
Just one example is reported by Sophos, it’s a variant on the Trickbot campaign and targets Italians.
The inner workings of the hacked .doc file are the same, all that’s changed is the wording of the email. It’s supposed to come from a doctor passing along WHO recommendations for COVID-19.
As usual, the infected document is the old-style .DOC format – which should be a major ‘red flag’ that something is wrong.
‘This document was created in an earlier version of Microsoft Office Word’
A clever wording since that kind of warning occasionally does appear in Office.
Microsoft does NOT refer to ‘Microsoft Office Word’ using that phrase.
The copyright is another clever touch adding ‘corroborative detail’.
Instructions to bypass Office protections
The two instructions in the document are there to trick people into bypassing important protections in Office.
Enable Editing – takes the document out of ‘Protected Mode’ which is the default for incoming docs from email etc.
Enable Content – clicking that allows VBA scripts to run. In this case, it allows the code to infect your computer.