COVID-19 , Cybercrime , Fraud Management & Cybercrime

Fresh COVID-19 Phishing Scams Try to Spread Malware: Report

Organizations Targeted With Ransomware, Infostealer
Fresh COVID-19 Phishing Scams Try to Spread Malware: Report

Two recently uncovered phishing campaigns used COVID-19 themes as a lure in an attempt to spread ransomware and information stealers, according to Palo Alto Networks' Unit 42 division.

See Also: Rapid Digitization and Risk: A Roundtable Preview

The campaigns targeted healthcare organizations, research facilities and government agencies in the U.S., Canada, Europe and elsewhere.

The security protocols used by the organizations that these campaigns targeted apparently stopped the attacks before they could penetrate networks and devices, according to Unit 42's research report.

Both campaigns used information about the COVID-19 pandemic to entice victims to open phishing emails that contain either a malicious link or an attached file that contains malware. These types of attacks have grown more common over the last several months as cybercriminals refine their tactics to take advantage of the health crisis (see: Phishing Campaigns Leverage Latest COVID-19 Themes).

"The common themes we've seen are malicious emails using subjects containing 'COVID-19' in the subject line and/or attachment name, as well as domains being registered containing terms like 'COVID,' 'virus,' and 'corona,'" Adrian McCabe, senior threat researcher at Unit 42, tells Information Security Media Group. "While not all of these domains are malicious, all of them should be treated as suspect when visiting."

Ransomware Attack

One of the newly discovered phishing campaigns attempted to spread EDA2 - an open source ransomware variant - to target a Canadian government health organization that is engaged in the COVID-19 response efforts as well as Canadian universities that are conducting COVID-19 research, the report notes.

The campaign, which took place March 24-26, used phishing emails sent from a spoofed address designed to resemble the World Health Organization, Unit 42 notes. The messages contained a malicious attachment that, if opened, could have infected devices with the ransomware.

Infostealer Campaign

The other campaign involved sending spam in an attempt to spread AgentTesla, an information stealer. This malware, which was first spotted in 2014, has proven popular with business email compromise fraudsters, researchers note.

This campaign targeted a United States defense research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, a research institute located in Japan and research facilities in Canada, Unit 42 notes.

The analysis found that the attackers sent the phishing emails from a fake address: shipping@liquidroam.com. These messages included a malicious attached document disguised as a notice to COVID-19 equipment suppliers.

An unidentified Palo Alto Networks customer received one of these malicious messages on March 17, the report notes.

Lack of Sophistication

Both campaigns used relatively basic phishing tactics, the researchers say.

In the ransomware campaign, for example, the attackers used phishing emails to send malicious macros in rich text format. Once a victim opened the attached file, the attackers exploited CVE-2012-0158 - a remote code execution flaw in Widows devices - to deliver the payload, the report says.

But the attackers' phishing tactics were sloppy, researchers say.

Recent ransomware note from a COVID-19 phishing attack (Source: Palo Alto Networks)

"It is interesting to note that even though the file name clearly references a specific date (March 23, 2020), the file name was not updated over the course of the campaign to reflect current dates," the report notes. "It is also interesting that the malware authors did not attempt to make their lures appear legitimate in any way; it is clear from the first page of the document that something is amiss."

If a victim ran the ransomware code, certain files would have been encrypted and a ransom note demanding a payment of 0.35 bitcoin ($2,350) would have been downloaded, according to the report.

"The silver lining is that these campaigns were not sophisticated by any means, and these are a classic example of an attacker merely attempting to take advantage of people's curiosity toward any particular topic that is popular at a given time," McCabe says.

Uptick in Phishing Email

Earlier this month, security agencies in the U.K. and U.S. warned about ongoing cybercrime campaigns tied to COVID-19 themes (see: UK and US Security Agencies Sound COVID-19 Threat Alert).

Other reports have noted that ransomware gangs are still targeting hospitals and healthcare organizations during the pandemic (see: No COVID-19 Respite: Ransomware Keeps Pummeling Healthcare).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority-rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.