As the world continues to grapple with the COVID-19 outbreak, cybercriminals are working relentlessly to develop tactics to entice victims to click on fraudulent links and download malicious documents. In January, SilverSky’s threat intel report warned customers of potential coronavirus-themed email attacks; shortly after that, SilverSky reported that the pandemic led to the first big phishing campaign of 2020. As of early April, we continue to see an increase in coronavirus themed email attacks with March being the most active 2020 month to date.
Characteristics of the coronavirus themed email attacks observed by SilverSky’s Threat Intel team have included: pandemic themed sender names, recently registered URLs, Agent Tesla malware, AZORult malware, and other malware variants.
Pandemic Themed Sender Names
The SilverSky Threat Intel team noted that most common malicious sender names included: the World Health Organization, WHO, coronavirus, Department of Health, Pan American Health Organization, Center for Disease Control, and CDC.
Clicking on a link within attack emails redirected to suspicious sites that asked for user credentials. One example of a spear-phishing attack tricked employees into thinking that the email originated from within their own organization by spoofing the sender’s name to be the organization’s name. Upon clicking the link, it redirected to a page that looks like a Microsoft login page.
Recently Registered URLs
Credential phishing emails blocked by SilverSky’s Email Protection (EPS) engines contained URLs of newly registered websites with coronavirus keywords within the URL such as coronavirus, COVID19, COVID, health, and other keywords associated with the pandemic. Our advanced detection scanners identified not so obvious characteristics such as the URL being less than three days old, and the security certificate issued by an authority popular with phishers.
Agent Tesla Malware
More sophisticated coronavirus themed attacks successfully blocked by SilverSky’s advanced email protection engines involved malware variants. For example, one campaign used Agent Tesla malware. Agent Tesla is spyware that stealthily collects information from the victim’s machine. In the coronavirus email attacks, Agent Tesla was spread through RAR compressed archive file attachments with .pdf extension to trick users. (sample file names – ‘MEMO – Preventive Measure COVID-19 issuance to Drivers & Transport Vendors.rar’, ‘Method_COVID2019_Safety.pdf.rar’). The attackers spoofed the sender as The World Health Organization <who[@]astaylojstlk.com> and claimed the attachments contained safety measures and instructions—note that the email address domain is fraudulent. Once the recipient opens and runs the attachment, GuLoader, used to load the real payload, installs Agent Tesla, which can steal usernames, passwords, and credit card information from the user’s system.
In late March 2020, the AZORult malware was observed being delivered by phishing documents that used COVID-19 as a lure. The malicious email titled ‘Maersk COVID -19 update’ contained a Microsoft Excel document attachment designed to exploit a known Microsoft Office vulnerability (CVE 2017-11882). This vulnerability exploits a flaw in how Microsoft Excel’s Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, which fails to handle OLE objects in memory properly. In this latest notable effort, the COVID-19 phishing campaigns are exclusively targeting manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic industries. Once the document is opened, it installs the information-stealing malware “AZORult.” SilverSky’s email protection engines detected this email and blocked it as a “threat.”
Other Malware Variants
SilverSky’s Threat Intel Team also noticed other malware variants such as Adwind RATs, KPOT Stealer, VBA Trojan downloaders, Zeus Sphinx were used to push coronavirus themed attacks. The Zeus Sphinx banking Trojan seems to be back after being off the scene for nearly three years. Malspam emails claiming to offer financial relief increased in March, bringing with them infected documents containing Zeus Sphinx Trojan disguised as government claim forms.
The phishing email requested recipients to fill out an attached form to receive coronavirus relief fund from the government. At first, the document required the user to enable executing a macro; then, the script starts its deployment by fetching a malware downloader. Next, the downloader will communicate with a remote command-and-control (C2) server to fetch the relevant malware, as in this case, its Zeus Sphinx variant.
These emails look very legitimate, and recipients tend to be oblivious that government or banking agencies generally do not attach such documents to emails and end up opening the attachments. Using our EPS technology, SilverSky customers can block such emails from reaching their inbox.
As we continue to see more sophisticated attacks using a combination of social engineering tactics and malicious URLs and documents, advanced detection techniques are required to block such attacks. If you are concerned about coronavirus related phishing attacks or see such emails being sent to your employees, Contact SilverSky to learn about our Email Protection Solutions.