Malspam Campaigns Attempt to Install Remote Access TrojansMicrosoft: Emails With COVID-19 Themes Targeting US, South Korea
See Also: The Evolution of Email Security
It's not clear if all these malspam campaigns, which are targeting organizations in the U.S. and South Korea, are related. But Microsoft researchers found that all the attacks attempt to install Remcos on victims' devices. This remote access Trojan, or RAT, can give attackers full control over an infected device and enable them to run keyloggers as well as capture screenshots and audio recordings.
Over the past several years, Remcos has sometimes been associated with threat groups attempting business email compromise schemes (see: Nigerian BEC Scammers Use Malware to Up the Ante).
Recent Spam Campaign
Microsoft found that the malspam campaigns mostly started appearing in April, although at least one malicious email is dated from February, which is about the time that many security researchers began finding phishing emails and malicious domains using the spread of COVID-19 as a lure (see: Phishing Campaigns Tied to Coronavirus Persist).
Tanmay Ganacharya, director for security research of Microsoft Threat Protection, told ZDNet it's not clear if the various campaigns were designed to spread other malware, such as ransomware, start a BEC scheme or conduct cyber espionage.
The spam emails usually contain attached disk image files, either ISO or IMG files, that attempt to infect a device with the Remcos RAT if opened, Microsoft says.
We're seeing pockets of Remcos campaigns targeting specific sectors using various COVID-19 themed lures and atypical email attachments. Unlike more prominent malware, Remcos campaigns appear to be limited and short-lived, an attempt to fly under the radar.— Microsoft Security Intelligence (@MsftSecIntel) May 4, 2020
In a series of tweets, the Microsoft Security Intelligence describes three of these spam campaigns.
In the first, the attackers sent messages that appeared to come from the U.S. Small Business Administration and were delivered to small businesses that are in need of federal loans due to the COVID-19 pandemic, according to Microsoft. These messages contained a malicious IMG file attachment that also displayed a misleading PDF icon. The attachment contained executables that attempted to install the Remcos RAT.
The second campaign was designed to appear to originate with the U.S. Centers for Disease Control and Prevention's Health Alert Network. The attackers used these spam emails to target manufacturing facilities in South Korea, according to Microsoft. The spoofed CDC emails contained a malicious ISO file attachment, which contained another file that attempted to install Remcos if opened, Microsoft notes.
A third campaign targeted accounting firms in the U.S. with spam emails that appeared to originate with the American Institute of CPAs. These messages also contained attached ISO files that, if opened, attempted to install the Remcos RAT.
In the past month, the SBA and its loan programs for small businesses affected by COVID-19 have been spoofed by other fraudsters looking to send out phishing emails or lead victims to misleading domains (see: Latest Phishing Campaigns Spoof Federal Reserve, SBA).