coronavirus-themed attack campaigns overview · malspam campaigns spreading ostap or trickbot march...

COVID-19-THEMED

OVERVIEW OF ATTACK CAMPAIGNS

SUMMARY

Copyright © 2020 Accenture. All rights reserved. 2

The appearance and spread of COVID-19 in late December 2019, laid the basis for a variety of globally distributed cyberthreats. Attackers, benefiting from the sensitive situation in which the world currently lives, exploited the COVID-19 (coronavirus) topic to their own advantage, mainly by implementing phishing campaigns based on the dissemination of information related to ongoing events and updates about the outbreak, doing so in an attempt to distribute different types of malware. To induce victims to access links contained in spam e-mails, attackers have often used websites that include clear references to COVID-19.

The graph below shows the number of domains registered during 2020 that contain keywords related to the COVID-19 theme. Note that these domains do not necessarily represent a threat, but are the result of research based on terms related to COVID-19.

MALSPAM CAMPAIGN SPREADING EMOTETJANUARY AND FEBRUARY 2020


A malicious spam (malspam) campaign occurring in January and February 2020 is based on sending fraudulent e-mails to Japanese targets, with the aim of spreading the Emotet malware. The campaign takes advantage of growing media attention on the “coronavirus" topic.

The e-mail in this campaign (see image on right) appears to have been sent by a public health authority and aims to inform the reader about the spread of coronavirus infection in different prefectures in Japan, offering the user further details about the local health situation by displaying an attached file.

Usually, e-mails are delivered with an attached Word document which, once opened, shows a message from Office 365 inviting the user to enable editing of the content if it has been opened in protected mode. Executing the request when opening e-mails that are part of this campaign, activates a VBA macro and may trigger the download of Emotet in the background.

Translation:Jurisdiction tsusho / facility related disability welfare service providerWe become indebted to.Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China.Patients have been reported in Gifu Prefecture in Japan,Therefore, please check the attached notice,Thank you for your infection prevention measures.

MALSPAM CAMPAIGN SPREADING AZORULTFEBRUARY 2020


This COVID-19-themed malspam campaign focuses on worries about global shipment disruptions. The attackers in this campaign target companies in industries particularly sensitive to the problem almost exclusively, with targets including manufacturing, industrial, financial, transportation, pharmaceutical and cosmetics companies.

Attached to the e-mails attackers use in this campaign (see image on right) is a malicious Microsoft Corp. Word document that attempts to exploit the CVE-2017-11882 Microsoft Office vulnerability related to the Equation Editor component. Once opened, the document runs code to install the information-stealer malware AZORult.

MALSPAM CAMPAIGN SPREADING LOKIBOTFEBRUARY 2020


Actors distributed Lokibot in a phishing campaign using COVID-19 as lure, pretending to have been sent by the Ministry of Health of the People's Republic of China.

The e-mails (see image on right) claim to contain information about the emergency standards surrounding the virus with the subject line "Emergency Regulation Ordiance" and have a RAR file attached with the extension .arj. Once opened, the malicious attachment infects the victim system with Lokibot and contacts a command-and-control (C2) server to exfiltrate the user’s credentials.

MALSPAM CAMPAIGN SPREADING GRANDOREIROFEBRUARY 2020


A phishing campaign targeting Brazil, Mexico and Spain has distributed the Grandoreiro banking Trojan, using malicious sites containing information about the COVID-19 outbreak.

Inside the page (see image on right) has a clickable video, illustrating the construction of a Chinese hospital. Playing the video causes the page to download an executable containing Grandoreiro.

CAMPAIGN BASED ON APT AND OTHER STATE-SPONSORED ACTORSMARCH 2020 –VIETNAMESE PRIME MINISTER

7Copyright © 2020 Accenture. All rights reserved.

The trend of reusing worldwide events is one of the main social engineering vectors cybecrime groups have been using for years to accomplish their operations. iDefense has noticed the use of this vector during the ongoing COVID-19 event; advanced persistent threat (APT) and other state- sponsored threats have reused the COVID-19 theme in social engineering efforts to forge malicious attachments and spear-phishing e-mails (see image on right).

One such example of a group using this technique is the “Viscious Panda” Chinese threat group that has targeted Mongolian political entities with a spear-phishing campaign and malicious RTF documents exploiting a vulnerability.

The final implant these types of actors have tried to install on targeted systems is a remote administration tool (RAT), which CheckPoint claims it has never seen before.

MALSPAM CAMPAIGN TARGETING SOUTHKOREAFEBRUARY 2020


Actors have been spreading this malspamcampaign in South Korea. It delivers an executable file called "Corona's domestic status" or "Corona's real-time corona status." Depending on the malware variant, once executed, the file displays a pop-up window titled "Real-time Corona19 Status" on the screen; this window aims to provide numerical information about the status of the COVID-19 infection in the country, with such information including the number of infected patients, healings, deaths and performed tests.

In reality, the program downloads malicious code to an infected device, allowing attackers to remotely control that device by connecting to a C2 server, capturing screenshots, installing malware and acquiring information without the user's knowledge.

PHISHING CAMPAIGNS SENT FROM CDCFEBRUARY AND MARCH 2020

9

The actors behind a phishing campaign based on e-mails (See image on right) that appear to be sent by "The Centers for Disease Control (CDC)" and refer to COVID-19 aim to steal credentials. The e-mails induce users to visit a link that promises to provide information about high-risk areas of COVID-19 infections. The e-mail shows recipients a generic Microsoft Outlook login window where the recipient’s e-mail address and account name are automatically entered in the appropriate fields. Recipients are only prompted to enter their password. The URL leads the victim to a Japanese phishing page.

Once the victim has entered their credentials, the camapign redirects to a legitimate CDC site.

Copyright © 2020 Accenture. All rights reserved.

PHISHING CAMPAIGNS SENT FROM CDC (CONTINUED)FEBRUARY AND MARCH 2020


Another campaign based on a CDC theme includes two varieties of attacks. In one case, a URL contained in the phishing e-mail (first image on right) leads to a fake Microsoft Outlook login page designed to convince potential victims to enter their credentials. In another case, an e-mail (second image on right) asks potential victims to donate bitcoins to the CDC find a vaccine for COVID-19.

11

This malspam campaign is based on e-mails (image on right) appearing to have been sent by the World Health Organization (WHO). The body of such e-mail invites recipients to view an attached file, showing an Excel file icon, and promising to provide information on precautions to take against the COVID-19 outbreak as well as information on companies whose employees have been infected. This file is actually an executable file containing the Agent Tesla keylogger.


MALSPAM CAMPAIGN SPREADING AGENT TESLAMARCH 2020

MALSPAM CAMPAIGNS SPREADING OSTAP OR TRICKBOTMARCH 2020

12

This malspam campaign is based on sending e-mails (image on right) with COVID-19 themes and addressed to Italian users. The message of the e-mail in this campaign has a subject line of "Coronavirus: Informazioni importanti su precauzioni," is written in proper Italian and is signed by "Dr. Penelope Marchetti (Organizzazione Mondiale della Sanità – Italia).“ The e-mail asks recipients to open a .doc attachment that appears to provide information on precautions against infection, but which actually contains a .jse file belonging to the OSTAP downloader family.

Once the final malware installs, it remains active on the victim device and sends data exfiltrated from the victim computer to the domain https://45[.]128[.]134[.]14/C821al/vc2Tmy[.]php; such data includes the victim computer name, local machine IP address and network card model. The infection chain may also involve the use of the Ryuk ransomware


Actors have used the same template to spread the Trickbot malware, which is capable of collecting information from compromised systems and performing lateral movement attacks to infect other machines on the same network as the victim system.

MALSPAM CAMPAIGN SPREADING FORMBOOKMARCH 2020

13

This malspam campaign is based on sending e-mails (image on right) with COVID-19 themes. The e-mails are written in English and appear sent by the WHO. The subject line is "Coronavirus Updates." The message asks recipients to open a ZIP archive that appears to provide updates on statistics and necessary precautions to take against the virus. The archive contains a file named "MY-HEALT.PDF," which is an executable that launches the GuLoader malware downloader.

At the end of the infection process, the malware installed on the victim's computer is FormBook, a Trojan specialized in information theft. Cyberespionage actors are those most likely to use the Trojan, which can extract information from HTTP sessions on the victim system, record keyboard typing and steal clipboard content. FormBook is also able to receive commands from a C2 server to perform further actions and download other malicious payloads.


CAMPAIGN BASED ON AZORULTMARCH 2020

14

Using the COVID-19 topic, attackers behind this campaign try to persuade victims to download and run an application to display a map (image on right) supposedly from a legitimate source. The map in question shows the current global spread of COVID-19. The application is actually a malicious executable that, once launched, displays a well-designed graphical interface with information from the Johns Hopkins website while the malware runs in the background.


This campaign aims to spread the AZORult malware, which is an information-stealer actors distributed for the first time in 2016. It has the ability to extract browser history, cookies, credentials, cryptocurrency and more. One version of AZORult is capable of creating a hidden administrator account on the victim device to allow Remote Desktop Protocol (RDP) connections. Actors could use AZORult to download additional malware to victim devices.

The ultimate goal of the attackers behind this campaign is to exfiltrate user information such as names, passwords and credit cards on the victim's browser to resell them on the Dark Web. Most sales of this malware occur in Russian underground forums.

CAMPAIGN BASED ON KPOTMARCH 2020


Actors distributed the CoronaVirus ransomware with the information-stealer Trojan Kpot through a fraudulent website (top image on right), pretending to promote the legitimate WiseCleaner Windows software. The distributed file, WSHSetup.exe, downloads the CoronaVirusransomware (file2.exe) and the Kpot Trojan (file1.exe).

Once file1.exe runs, the malware tries to collect cookies, login credentials, virtual private network (VPN) information, file transfer protocol (FTP) details, e-mail accounts, etc. The malware also attempts to create a screenshot of the active desktop to steal cryptocurrency wallets stored on the infected computer. The malware sends the stolen information to a remote server managed by the attackers.

It encrypts files on the victim computer using file2.exe, renaming such files to display the attacker’s e-mail address, and leaving file extensions intact. In each affected folder and on the desktop, the malware generates a note called CoronaVirus.txt, which requests the victim send a payment of 0.008 bitcoins to the address bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j. The ransomware also renames the hard disk to "CoronaVirus (C:)“ (lower image on right).

CAMPAIGN BASED ON BLACKWATERMARCH 2020


This campaign is based on the use of a backdoor called BlackWater, which legitimately contacts the Cloudflare Workers platform to mask the connection to an attacker-controlled C2 server.

The campaign is based on the distribution of a .rar file, ("COVID-19-“), which contains a .docx file ("Important - COVID-19-") related to information about the COVID-19 outbreak.

Once opened, the campaign extracts a Word document that acts as a dropper for the final payload and executes it. During execution, the BlackWater malware connects to a Cloudflare Worker platform, which responds with a string in JSON that contains commands, acting as a C2 server.

CAMPAIGN BASED ON COVIDLOCKMARCH 2020


Exploiting the ongoing COVID-19 event, the attackers behind this campaign created a phishing site on the domain coronavirusapp[.]site that displays a map providing real-time information on the spread of the virus. The site encourages victims to download and run an Android application called "Covid19 Tracker’ to stay up to date on the location of infected patients and the spread of the virus in the area, using smartphones to view the data. In reality, the application hides the CovidLock ransomware, which uses a malicious technique known as screen-lock, that denies the user access to the smartphone by forcefully changing the password needed to unlock the phone. Immediately after the lock, the app displays a ransom note on the screen.

OTHER ATTACK CAMPAIGNS


Actors carrying out this campaign are distributing a malicious Microsoft Word document (image directly below) that claims to contain information about South Korea's response to COVID-19. The file aims to download the North Korean BabyShark malware.

This COVID-19 themed phishing e-mail campaign uses a document in an e-mail (image directly below) that contains Nanocore RAT and targets South Korean chemical manufacturer Dongwoo Fine-Chem Corporation.

OTHER ATTACK CAMPAIGNS (CONTINUED)


The TrickyMouse campaign distributes a malicious Word document called “Коронавірусна інфекція COVID-19.doc” (image directly below), containing a backdoor in C# targeting Ukraine. The campaign uses the brand names of the WHO and the Public Health Centre of the Ministry of Health of Ukraine as lures.

This campaign uses the FedEx brand in a phishing attack, claiming to provide victims with information about FedEx's global operations (image directly below). The e-mail attachment, "Customer Advisory.PDF.exe", attempts to infect victims with the Lokibot malware.

OTHER ATTACK CAMPAIGNS (CONTINUED)


This malspam campaign uses an e-mail appearing to be from the Iranian Ministry of Health; the e-mail recommends downloading a specific mobile app to monitor potential symptoms of COVID-19. This application (ac19.apk) is actually spyware for Android.

REFERENCES


https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b

https://www.proofpoint.com/us/corporate-blog/post/coronavirus-themed-attacks-target-global-shipping-concerns

https://exchange.xforce.ibmcloud.com/collection/62ed2dd58bbc189efd753918bef1bd05

https://twitter.com/JAMESWT_MHT/status/1227982693889183744

https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html

http://www.cctvnews.co.kr/news/articleView.html?idxno=160397

https://cofense.com/threat-actors-capitalize-global-concern-coronavirus-new-phishing-campaigns/

https://www.kaspersky.com/blog/coronavirus-phishing/32395/

http://www.tgsoft.it//italy//news_archivio.asp?id=1069

https://news.sophos.com/en-us/2020/03/04/trickbot-campaign-targets-coronavirus-fears-in-italy/

https://twitter.com/malwrhunterteam/status/1236008791893778434

https://blog.reasonsecurity.com/2020/03/09/covid-19-info-stealer-the-map-of-threats-threat-analysis-report/


https://twitter.com/issuemakerslab/status/1233010155018604545?s=20

https://twitter.com/RedDrip7/status/1230683740508000256?s=20


https://www.fortinet.com/blog/threat-research/attackers-taking-advantage-of-the-coronavirus-covid-19-media-frenzy.html

https://twitter.com/NarimanGharib/status/1236102123156393984?s=09

https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware#

https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b

https://www.proofpoint.com/us/corporate-blog/post/coronavirus-themed-attacks-target-global-shipping-concerns

https://exchange.xforce.ibmcloud.com/collection/62ed2dd58bbc189efd753918bef1bd05

https://twitter.com/JAMESWT_MHT/status/1227982693889183744

https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html

http://www.cctvnews.co.kr/news/articleView.html?idxno=160397

https://cofense.com/threat-actors-capitalize-global-concern-coronavirus-new-phishing-campaigns/

https://www.kaspersky.com/blog/coronavirus-phishing/32395/

http://www.tgsoft.it/italy/news_archivio.asp?id=1069

https://news.sophos.com/en-us/2020/03/04/trickbot-campaign-targets-coronavirus-fears-in-italy/


https://blog.reasonsecurity.com/2020/03/09/covid-19-info-stealer-the-map-of-threats-threat-analysis-report/


https://twitter.com/issuemakerslab/status/1233010155018604545?s=20



https://www.fortinet.com/blog/threat-research/attackers-taking-advantage-of-the-coronavirus-covid-19-media-frenzy.html

https://twitter.com/NarimanGharib/status/1236102123156393984?s=09

https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware

LEGAL NOTICE & DISCLAIMER: © 2020 Accenture. All rights reserved. Accenture, the Accenture logo, iDefense and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from iDefense. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.

Given the inherent nature of threat intelligence, the content contained in this alert is based on information gathered and understood at the time of its creation. It is subject to change.

ACCENTURE PROVIDES THE INFORMATION ON AN “AS-IS” BASIS WITHOUT REPRESENTATION OR WARRANTY AND ACCEPTS NO LIABILITY FOR ANY ACTION OR FAILURE TO ACT TAKEN IN RESPONSE TO THE INFORMATION CONTAINED OR REFERENCED IN THIS ALERT.

Accenture Confidential and Proprietary

coronavirus-themed attack campaigns overview · malspam campaigns spreading ostap or trickbot march...

Documents