Threat Advisory: Updates Regarding COVID-19 Related Cyber Attacks

April 6, 2020

Overview 

Malware-based phishing campaigns have been on the rise since early March. The campaigns appear to be from a trusted source, such as healthcare organizations, educational institutions, government agencies, or other official sources. The associated emails often contain a link that promises key information, relevant data, or tracking information regarding the Coronavirus.

A number of these emails appear to originate from cdc[.]gov and contain links resembling the Centers for Disease Control and Prevention (CDC) official sites. However, they route to threat actor-controlled websites and may request login credentials, ask for donations in bitcoin, or even serve malware. These links may contain legitimate data, such as live tracking maps, however, propagate malware such as the credential stealer AZORult.

Registered Domains

Since mid-January 2020, there has been an increase in COVID-19 related domain registrations with a significant rise in late February. The large February spike in domain registrations is a likely indicator that attackers have realized the potential of COVID-19 as an attack vector.

Threat actors are preying on the fear and urgency of the situation, along with domains closely representing their legitimate counterpart, to further increase their reach and information-gathering abilities.

Summary of Coronavirus-Related Phishing Campaigns
  • January 2020: IBM X-Force researchers observe a Coronavirus phishing campaign targeting Japan to distribute Emotet using Microsoft Word documents. This campaign was also found to involve Lokibot infections via a Windows RAR file.
  • February 2020: Proofpoint detects a COVID-19 based phishing campaign targeting manufacturing, industrial, transportation, pharmaceutical, and cosmetic industries. This campaign used a malicious Microsoft Office document to deliver the AZORult malware.
  • February 2020: Kaspersky observes a phishing campaign using the cdc-gov[.]org and cdcgov[.]org domains. These domains led to a fake Microsoft Outlook login page.
  • February 2020: Security researchers from the IssueMakersLab team discovered a document containing the North Korean malware BabyShark targeting South Korea’s response to Coronavirus.
  • February 2020: Security researchers from the RedDrip Team identified a campaign targeting Ukraine using a malicious Microsoft Word document and TrickyMouse. The document leveraged branding from the World Health Organization (WHO) and the Ministry of Health of Ukraine to fool victims.
  • February 2020: The RedDrip Team researchers also identified a COVID-19 campaign targeting the South Korean chemical manufacturing company, Dongwoo Fine-Chem Corporation. This campaign used an attached document and the Nanocore RAT.
  • February 2020: ESET researchers discovered malicious sites targeting users in Spain, Mexico, and Brazil that used Coronavirus as a lure to infect hosts with the Grandoreiro banking trojan.
  • March 2020: Cofense identified two phishing campaigns using COVID-19 based subject lines and a spoofed email address to redirect to a Microsoft Outlook login page. The email may also contain a malicious .exe file masquerading as an Excel file, which then drops the Agent Tesla Keylogger.
  • March 2020: Sophos researchers tracked a phishing campaign targeting people in Italy using a macro embedded Microsoft Office document to drop the Trickbot banking trojan.
  • March 2020: FortiGaurd Labs discovered a phishing attack using FedEx branding to distribute a file claiming to be a customer advisory. When opened, the file installs the Lokibot malware.
  • March 2020: Researchers are suspecting that the Chinese threat actor group, Mustang Panda, is using a malicious .rar file alleging to contain statements from the Vietnamese Prime Minister to infect victim hosts with malware.
  • March 2020: A malicious .apk file was discovered on an Iranian government website. The Iranian Health Ministry sent messages to victims advising them to download the app as it contained information on monitoring for COVID-19 symptoms. The .apk file was later identified as spyware designed to gather information on the users.
APT36 and Crimson RAT

Researchers at Malwarebytes have observed advanced persistent threat group, APT36, conducting a phishing campaign against multiple Indian-based targets. The targets include the Indian defense sector, embassies, and the government of India. The campaign uses spear phishing and watering hole attacks to gain initial access with the goal of delivering the Crimson RAT malware.

The phishing emails contain either a malicious macro document or a Rich Text Format (RTF) file. Both file types abuse remote code execution vulnerabilities such as CVE-2017-0199. The macro checks the operating system type and then deploys the corresponding 32 or 64bit Crimson RAT version. This malware gathers information from the victim’s host, then connect and send the data back to the command-and-control server. The information gathered includes running processes, hostname, and username.

Indicators of Compromise include:

 Organization APT36 (C-Major, Mythic Leopard, ProjectM, TMP.Lapis, Transparent Tribe)
 Malware Crimson RAT
 Hashes
  • 0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010
  • 876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656
  • 20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a
  • b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748
 IP Addresses
  • 107.175.64.209
  • 64.188.25.205
 Domain email.gov.in.maildrive.email
 Attack Vectors
  • Watering hole attack
  • C&C Server
  • Spear Phishing
 Country India
 Vulnerability CVE-2017-0199

 

CovidLock, the Android Ransomware

A ransomware targeting Android devices was recently detected by analysts at DomainTools. The ransomware was traced back to a website, coronavirusapp[.]site, that advertised a real-time tracker for COVID-19 infections. The malware was distributed via a downloaded malicious .apk file. Once downloaded, the application interface requests permissions to activate infection tracking and when approved, the permissions allow the ransomware to gain control over the device.

Upon gaining control of the device, CovidLock locks the screen and displays the ransom message. The message informs the victim that they have 48 hours to pay $100 in bitcoin before the malware starts erasing the device’s content.

Indicators of Compromise include:

 Organization World Health Organization
 Malware
  • CovidLock (CovidLocker)
  • AZORult
 Hashes
  • 69a6b43b5f63030938c578eec05993eb
  • c844992d3f4eecb5369533ff96d7de6a05b19fe5f5809ceb1546a3f801654890
 IP Addresses
  • 107.175.64.209
  • 64.188.25.205
 Domain
  • coronavirusapp.site
  • cdc-gov.org
  • dating4sex.us
  • dating4free.us
  • perfectdating.us
  • redditdating.us
 Attack Vectors
  • Credential Stealing
  • Phishing
 Country
  • Poland
  • Germany
  • United States
  • France
  • Belgium
  • Portugal
 Email Address phc859mgge638@inbox.ru

 

MBR-Rewriting Malware

A malware sample, known to rewrite the host's master boot record (MBR), has been analyzed by the SonicWall Threat Research team. Upon initial execution, a pop-up window is displayed while the malware disables the Windows Task Manager, User Access Control (UAC), and the add/modify wallpaper setting. It also begins copying the MRB to another disk sector prior to writing a unique message where the MBR originally was. The install script then reboots the host and loads the new locked boot screen.

Filename: COVID-19.exe
SHA256 Hash: DFBCCE38214FDDE0B8C80771CFDEC499FC086735C8E7E25293E7292FC7993B4C

A second MBR-rewriting malware has also been found to pose as ransomware and used a boot message to inform the victim that the device has been encrypted. Known as CoronaVirus ransomware, this particular malware only rewrites the MBR to keep the user out of the operating system while it steals usernames and passwords. This malware also contained unused code that would start wiping data from the system. On a later detection of this malware, the data wiping code had been replaced by a functioning screen-locker.

Zeus Sphinx

After a few quiet years, the Zeus Sphinx banking trojan was recently discovered being used again as the payload in a COVID-19 themed phishing campaign. The phishing campaign uses emails with attached documents disguised as government relief payment information. The operators are continuing to target people that use major banks from the United States, Canada, and Australia.

The email asks the recipient to fill out the attached form to receive their relief payments. However, the document contains malicious macros that once enabled, will infect the host with a malware downloader and the banking trojan. To protect against these campaigns, Herjavec Group recommends avoiding clicking on links or opening attachments from unknown senders. To ensure you're visiting a legitimate site, enter the URL manually into a browser.

Herjavec Group continues to stress the importance of remaining vigilant when it comes to phishing attempts.

  • Educate your teams to avoid suspicious attachments and not to enable macros on untrusted documents.
  • Double-check any links by hovering over them to ensure you will not be redirected to a fraudulent website
  • Review URL domain names carefully for typos or missing characters

Herjavec Group recently published a Threat Advisory on how organizations can mitigate cyber attacks that leverage the Coronavirus pandemic, a summary of IOCs relating to known malware families, and domains specific to COVID-19. You can review it here.

Herjavec Group’s Managed Services team will be proactively blocking names/IP addresses where applicable, following documented change processes as per usual.

For more information on how Herjavec Group can help your organization with an emergency preparedness plan, or secure remote access solutions, please connect with us.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn