Another Type of Virus - Phishing and Malspam Attacks Using COVID-19

By now, you are most certainly aware of COVID-19, the novel coronavirus that is sweeping the world. The spread rate and death toll has been steadily climbing as governments and healthcare systems try their best to mitigate the spread of the virus.

However, this isn't the only viral shed that you need to be aware of.

There have been numerous reports of different threat actors and, well, scammers using the public panic surrounding COVID-19 to their advantage. Many phishing campaigns (i.e. stupid scam emails you hope go into your spam folder) have been targeting consumers and people that are just trying to stay informed.

Here is an analysis of current campaigns and threats:

BleepingComputer reports a phishing email that spreads Remcos RAT/malware payloads.

This malware will gain persistence on an infected device by adding a Startup Registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce which will allow it to initiate after the machine is rebooted. After the malware has made itself comfy and at home, it captures the user’s keystrokes and logs them in a log.dat file in a temporary local \onedrive folder COVID-19-themed MS Office Document.

(Above screenshots courtesy of BleepingComputer)

Additionally, a Talos investigation uncovered a series of campaigns from the wonderful folk behind Emotet, along with a series of other commodity malware families using COVID-19 topics to lure unsuspecting and curious users in. What was also striking was the amount of legitimate emails containing things like Microsoft Word documents and Excel spreadsheets related to the coronavirus, which could make phishing detection even harder for your average user.

Emotet is one of the most common and insidious malware families being actively distributed. Actors are commonly observed attempting to integrate current news topics of interest in their distribution campaigns, and the current interest in COVID-19 is no exception. It has been previously reported that Emotet has been making use of this theme in various email distribution campaigns, as seen below. These emails typically contain malicious Microsoft Word documents that function as downloaders for the Emotet malware.

(screenshot courtesy of Talos)

Talos has also observed the Nanocore RAT being distributed using similar email-based malware distribution campaigns. Nanocore RAT is a remote access trojan (RAT) that is commonly distributed by various threat actors. RATs are one of the most common threats we see actively in the threat landscape. These malware families will provide the attacker with remote access into the system and allow them to grab things like keystrokes, files, and webcam feeds. These will also allow them to download and execute files. During investigation, Talos did find a campaign delivering Nanocore, one of these RATs. The campaign was a notification to customers around the status of the coronavirus and the steps they are taking as an organization, as is shown below.

(screenshot courtesy of Talos)

The email shown above came with a ZIP file attached, which contained a PIF executable. Once the victim executed the file, Nanocore RAT was installed on the system, giving the adversaries remote access.

Researchers at Cofense said they observed a new phishing campaign that pushes fake messages from The Centers for Disease Control (CDC) that the coronavirus has “officially become airborne” and there “have been confirmed cases of the disease in your location.”

In my additional research and search for more intelligence in this area, I have also encountered the following occurrences:

• Fake MS365 login site in phishing email to download “company guidelines about nCOV”
• A new variation of Trickbot (malware) also being distributed via malspam.
• SMS Phishing (this was from the NHS, so UK-based)
• Spoofing of the public health line 1-800 number (Canada)
• People posing in email as WHO reps with guidelines on how to prevent infection with a malicious attachment
• There are also some sites that are offering coronavirus maps that are being used to test malware: security researchers at Malwarebytes say that they have found malicious code hiding behind a website that claimed to show an up-to-date global heatmap of Coronavirus reports. This manifests as malicious code, which skims for passwords and payment card details, as a variant of the AzorUlt spyware. The malicious site appears to have copied the look-and-feel of a legitimate Coronavirus map from Johns Hopkins University.

As always, if you are unsure as to the legitimacy of an email you receive, go directly to the site of the originator instead of clicking on any links. Similarly, do not enter credentials into any fields prompted by email links; again, go to the site in question (i.e. MS365) in order to login.

Stay safe and healthy!