Threat Advisory: Additional Information Regarding COVID-19 Related Cyber Attacks
March 19, 2020
Malware-based phishing campaigns have been on the rise since early March. The campaigns appear to be from a trusted source, such as healthcare organizations, educational institutions, government agencies, or other official sources. The associated emails often contain a link that promises key information, relevant data, or tracking information regarding the Coronavirus.
A number of these emails appear to originate from cdc[.]gov and contain links resembling the Centers for Disease Control and Prevention (CDC) official sites. However, they route to threat actor-controlled websites and may request login credentials, ask for donations in bitcoin, or even serve malware. These links may contain legitimate data, such as live tracking maps, however, propagate malware such as the credential stealer AZORult.
Since mid-January 2020, there has been an increase in COVID-19 related domain registrations with a significant rise in late February. The large February spike in domain registrations is a likely indicator that attackers have realized the potential of COVID-19 as an attack vector.
Threat actors are preying on the fear and urgency of the situation, along with domains closely representing their legitimate counterpart, to further increase their reach and information-gathering abilities.
Summary of Coronavirus-Related Phishing Campaigns
- January 2020: IBM X-Force researchers observe a Coronavirus phishing campaign targeting Japan to distribute Emotet using Microsoft Word documents. This campaign was also found to involve Lokibot infections via a Windows RAR file.
- February 2020: Proofpoint detects a COVID-19 based phishing campaign targeting manufacturing, industrial, transportation, pharmaceutical, and cosmetic industries. This campaign used a malicious Microsoft Office document to deliver the AZORult malware.
- February 2020: Kaspersky observes a phishing campaign using the cdc-gov[.]org and cdcgov[.]org domains. These domains led to a fake Microsoft Outlook login page.
- February 2020: Security researchers from the IssueMakersLab team discovered a document containing the North Korean malware BabyShark targeting South Korea’s response to Coronavirus.
- February 2020: Security researchers from the RedDrip Team identified a campaign targeting Ukraine using a malicious Microsoft Word document and TrickyMouse. The document leveraged branding from the World Health Organization (WHO) and the Ministry of Health of Ukraine to fool victims.
- February 2020: The RedDrip Team researchers also identified a COVID-19 campaign targeting the South Korean chemical manufacturing company, Dongwoo Fine-Chem Corporation. This campaign used an attached document and the Nanocore RAT.
- February 2020: ESET researchers discovered malicious sites targeting users in Spain, Mexico, and Brazil that used Coronavirus as a lure to infect hosts with the Grandoreiro banking trojan.
- March 2020: Cofense identified two phishing campaigns using COVID-19 based subject lines and a spoofed email address to redirect to a Microsoft Outlook login page. The email may also contain a malicious .exe file masquerading as an Excel file, which then drops the Agent Tesla Keylogger.
- March 2020: Sophos researchers tracked a phishing campaign targeting people in Italy using a macro embedded Microsoft Office document to drop the Trickbot banking trojan.
- March 2020: FortiGaurd Labs discovered a phishing attack using FedEx branding to distribute a file claiming to be a customer advisory. When opened, the file installs the Lokibot malware.
- March 2020: Researchers are suspecting that the Chinese threat actor group, Mustang Panda, is using a malicious .rar file alleging to contain statements from the Vietnamese Prime Minister to infect victim hosts with malware.
- March 2020: A malicious .apk file was discovered on an Iranian government website. The Iranian Health Ministry sent messages to victims advising them to download the app as it contained information on monitoring for COVID-19 symptoms. The .apk file was later identified as spyware designed to gather information on the users.
APT36 and Crimson RAT
Researchers at Malwarebytes have observed advanced persistent threat group, APT36, conducting a phishing campaign against multiple Indian-based targets. The targets include the Indian defense sector, embassies, and the government of India. The campaign uses spear phishing and watering hole attacks to gain initial access with the goal of delivering the Crimson RAT malware.
The phishing emails contain either a malicious macro document or a Rich Text Format (RTF) file. Both file types abuse remote code execution vulnerabilities such as CVE-2017-0199. The macro checks the operating system type and then deploys the corresponding 32 or 64bit Crimson RAT version. This malware gathers information from the victim’s host, then connect and send the data back to the command-and-control server. The information gathered includes running processes, hostname, and username.
Indicators of Compromise include:
|Organization||APT36 (C-Major, Mythic Leopard, ProjectM, TMP.Lapis, Transparent Tribe)|
CovidLock, the Android Ransomware
A ransomware targeting Android devices was recently detected by analysts at DomainTools. The ransomware was traced back to a website, coronavirusapp[.]site, that advertised a real-time tracker for COVID-19 infections. The malware was distributed via a downloaded malicious .apk file. Once downloaded, the application interface requests permissions to activate infection tracking and when approved, the permissions allow the ransomware to gain control over the device.
Upon gaining control of the device, CovidLock locks the screen and displays the ransom message. The message informs the victim that they have 48 hours to pay $100 in bitcoin before the malware starts erasing the device’s content.
Indicators of Compromise include:
|Organization||World Health Organization|
Herjavec Group continues to stress the importance of remaining vigilant when it comes to phishing attempts.
- Educate your teams to avoid suspicious attachments and not to enable of macros on untrusted documents.
- Double-check any links by hovering over them to ensure you will not be redirected to a fraudulent website
- Review URL domain names carefully for typos or missing characters
Herjavec Group recently published a Threat Advisory on how organizations can mitigate cyber attacks that leverage the Coronavirus pandemic, a summary of IOCs relating to known malware families, and domains specific to COVID-19. You can review it here.
Herjavec Group’s Managed Services team will be proactively blocking names/IP addresses where applicable, following documented change processes as per usual.
For more information on how Herjavec Group can help your organization with an emergency preparedness plan, or secure remote access solutions, please connect with us.