Top 5 Coronavirus Phishing Tactics Identified by SilverSky’s Threat Intel Team

Coronavirus phishing coronavirus malwareAs the world continues to grapple with the COVID-19 outbreak, cybercriminals are working relentlessly to develop tactics to entice victims to click on fraudulent links and download malicious documents. In January, SilverSky’s threat intel report warned customers of potential coronavirus-themed email attacks; shortly after that, SilverSky reported that the pandemic led to the first big phishing campaign of 2020. As of early April, we continue to see an increase in coronavirus themed email attacks with March being the most active 2020 month to date.

Characteristics of the coronavirus themed email attacks observed by SilverSky’s Threat Intel team have included: pandemic themed sender names, recently registered URLs, Agent Tesla malware, AZORult malware, and other malware variants.

Pandemic Themed Sender Names

The SilverSky Threat Intel team noted that most common malicious sender names included: the World Health Organization, WHO, coronavirus, Department of Health, Pan American Health Organization, Center for Disease Control, and CDC.

Clicking on a link within attack emails redirected to suspicious sites that asked for user credentials. One example of a spear-phishing attack tricked employees into thinking that the email originated from within their own organization by spoofing the sender’s name to be the organization’s name. Upon clicking the link, it redirected to a page that looks like a Microsoft login page.

Recently Registered URLs

Credential phishing emails blocked by SilverSky’s Email Protection (EPS) engines contained URLs of newly registered websites with coronavirus keywords within the URL such as coronavirus, COVID19, COVID, health, and other keywords associated with the pandemic. Our advanced detection scanners identified not so obvious characteristics such as the URL being less than three days old, and the security certificate issued by an authority popular with phishers.

Agent Tesla Malware

More sophisticated coronavirus themed attacks successfully blocked by SilverSky’s advanced email protection engines involved malware variants. For example, one campaign used Agent Tesla malware. Agent Tesla is spyware that stealthily collects information from the victim’s machine. In the coronavirus email attacks, Agent Tesla was spread through RAR compressed archive file attachments with .pdf extension to trick users. (sample file names – ‘MEMO – Preventive Measure COVID-19 issuance to Drivers & Transport Vendors.rar’, ‘Method_COVID2019_Safety.pdf.rar’). The attackers spoofed the sender as The World Health Organization <who[@]astaylojstlk.com> and claimed the attachments contained safety measures and instructions—note that the email address domain is fraudulent. Once the recipient opens and runs the attachment, GuLoader, used to load the real payload, installs Agent Tesla, which can steal usernames, passwords, and credit card information from the user’s system.

AZORult MalwareCoronavirus phishing coronavirus malware

In late March 2020, the AZORult malware was observed being delivered by phishing documents that used COVID-19 as a lure. The malicious email titled ‘Maersk COVID -19 update’ contained a Microsoft Excel document attachment designed to exploit a known Microsoft Office vulnerability (CVE 2017-11882). This vulnerability exploits a flaw in how Microsoft Excel’s Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, which fails to handle OLE objects in memory properly. In this latest notable effort, the COVID-19 phishing campaigns are exclusively targeting manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic industries.  Once the document is opened, it installs the information-stealing malware “AZORult.” SilverSky’s email protection engines detected this email and blocked it as a “threat.”

Other Malware Variants

SilverSky’s Threat Intel Team also noticed other malware variants such as Adwind RATs, KPOT Stealer, VBA Trojan downloaders, Zeus Sphinx were used to push coronavirus themed attacks. The Zeus Sphinx banking Trojan seems to be back after being off the scene for nearly three years. Malspam emails claiming to offer financial relief increased in March, bringing with them infected documents containing Zeus Sphinx Trojan disguised as government claim forms.

The phishing email requested recipients to fill out an attached form to receive coronavirus relief fund from the government. At first, the document required SIlverSky Email Protection Suitethe user to enable executing a macro; then, the script starts its deployment by fetching a malware downloader. Next, the downloader will communicate with a remote command-and-control (C2) server to fetch the relevant malware, as in this case, its Zeus Sphinx variant.

These emails look very legitimate, and recipients tend to be oblivious that government or banking agencies generally do not attach such documents to emails and end up opening the attachments. Using our EPS technology, SilverSky customers can block such emails from reaching their inbox.

 

As we continue to see more sophisticated attacks using a combination of social engineering tactics and malicious URLs and documents, advanced detection techniques are required to block such attacks. If you are concerned about coronavirus related phishing attacks or see such emails being sent to your employees, Contact SilverSky to learn about our Email Protection Solutions.

Previous

Next

Managed Detection & Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email & Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance & Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.

Healthcare

Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.

Retail

Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Resources

White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 

Events

Blog

Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion