As the world continues to grapple with the COVID-19 outbreak, cybercriminals are working relentlessly to develop tactics to entice victims to click on fraudulent links and download malicious documents. In January, SilverSky’s threat intel report warned customers of potential coronavirus-themed email attacks; shortly after that, SilverSky reported that the pandemic led to the first big phishing campaign of 2020. As of early April, we continue to see an increase in coronavirus themed email attacks with March being the most active 2020 month to date.

Characteristics of the coronavirus themed email attacks observed by SilverSky’s Threat Intel team have included: pandemic themed sender names, recently registered URLs, Agent Tesla malware, AZORult malware, and other malware variants.

Pandemic Themed Sender Names

The SilverSky Threat Intel team noted that most common malicious sender names included: the World Health Organization, WHO, coronavirus, Department of Health, Pan American Health Organization, Center for Disease Control, and CDC.

Clicking on a link within attack emails redirected to suspicious sites that asked for user credentials. One example of a spear-phishing attack tricked employees into thinking that the email originated from within their own organization by spoofing the sender’s name to be the organization’s name. Upon clicking the link, it redirected to a page that looks like a Microsoft login page.

Recently Registered URLs

Credential phishing emails blocked by SilverSky’s Email Protection (EPS) engines contained URLs of newly registered websites with coronavirus keywords within the URL such as coronavirus, COVID19, COVID, health, and other keywords associated with the pandemic. Our advanced detection scanners identified not so obvious characteristics such as the URL being less than three days old, and the security certificate issued by an authority popular with phishers.

Agent Tesla Malware

More sophisticated coronavirus themed attacks successfully blocked by SilverSky’s advanced email protection engines involved malware variants. For example, one campaign used Agent Tesla malware. Agent Tesla is spyware that stealthily collects information from the victim’s machine. In the coronavirus email attacks, Agent Tesla was spread through RAR compressed archive file attachments with .pdf extension to trick users. (sample file names – ‘MEMO – Preventive Measure COVID-19 issuance to Drivers & Transport Vendors.rar’, ‘Method_COVID2019_Safety.pdf.rar’). The attackers spoofed the sender as The World Health Organization <who[@]astaylojstlk.com> and claimed the attachments contained safety measures and instructions—note that the email address domain is fraudulent. Once the recipient opens and runs the attachment, GuLoader, used to load the real payload, installs Agent Tesla, which can steal usernames, passwords, and credit card information from the user’s system.

AZORult MalwareCoronavirus phishing coronavirus malware

In late March 2020, the AZORult malware was observed being delivered by phishing documents that used COVID-19 as a lure. The malicious email titled ‘Maersk COVID -19 update’ contained a Microsoft Excel document attachment designed to exploit a known Microsoft Office vulnerability (CVE 2017-11882). This vulnerability exploits a flaw in how Microsoft Excel’s Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, which fails to handle OLE objects in memory properly. In this latest notable effort, the COVID-19 phishing campaigns are exclusively targeting manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic industries.  Once the document is opened, it installs the information-stealing malware “AZORult.” SilverSky’s email protection engines detected this email and blocked it as a “threat.”

Other Malware Variants

SilverSky’s Threat Intel Team also noticed other malware variants such as Adwind RATs, KPOT Stealer, VBA Trojan downloaders, Zeus Sphinx were used to push coronavirus themed attacks. The Zeus Sphinx banking Trojan seems to be back after being off the scene for nearly three years. Malspam emails claiming to offer financial relief increased in March, bringing with them infected documents containing Zeus Sphinx Trojan disguised as government claim forms.

The phishing email requested recipients to fill out an attached form to receive coronavirus relief fund from the government. At first, the document required SIlverSky Email Protection Suitethe user to enable executing a macro; then, the script starts its deployment by fetching a malware downloader. Next, the downloader will communicate with a remote command-and-control (C2) server to fetch the relevant malware, as in this case, its Zeus Sphinx variant.

These emails look very legitimate, and recipients tend to be oblivious that government or banking agencies generally do not attach such documents to emails and end up opening the attachments. Using our EPS technology, SilverSky customers can block such emails from reaching their inbox.

 

As we continue to see more sophisticated attacks using a combination of social engineering tactics and malicious URLs and documents, advanced detection techniques are required to block such attacks. If you are concerned about coronavirus related phishing attacks or see such emails being sent to your employees, Contact SilverSky to learn about our Email Protection Solutions.

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.

Healthcare

Affordable defenses for a sector under attack.

Retail

SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.

ACET

Automated Cybersecurity Examination Tool

HIPAA

Health Insurance Portability and Accountability Act

PCI DSS

Payment Card Industry Data Security Standard

FFIEC

Federal Financial Institutions Examination Council

GLBA

Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.

Resources

Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Press & Events

Press releases, upcoming conferences and trade shows, and future and on-demand webinars

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.

Careers

Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.