Organizations Targeted With Ransomware, Infostealer
Two recently uncovered phishing campaigns used COVID-19 themes as a lure in an attempt to spread ransomware and information stealers, according to Palo Alto Networks’ Unit 42 division.
See Also: Role of Deception in the ‘New Normal’
The campaigns targeted healthcare organizations, research facilities and government agencies in the U.S., Canada, Europe and elsewhere.
The security protocols used by the organizations that these campaigns targeted apparently stopped the attacks before they could penetrate networks and devices, according to Unit 42’s research report.
Both campaigns used information about the COVID-19 pandemic to entice victims to open phishing emails that contain either a malicious link or an attached file that contains malware. These types of attacks have grown more common over the last several months as cybercriminals refine their tactics to take advantage of the health crisis (see: Phishing Campaigns Leverage Latest COVID-19 Themes).
“The common themes we’ve seen are malicious emails using subjects containing ‘COVID-19’ in the subject line and/or attachment name, as well as domains being registered containing terms like ‘COVID,’ ‘virus,’ and ‘corona,'” Adrian McCabe, senior threat researcher at Unit 42, tells Information Security Media Group. “While not all of these domains are malicious, all of them should be treated as suspect when visiting.”
One of the newly discovered phishing campaigns attempted to spread EDA2 – an open source ransomware variant – to target a Canadian government health organization that is engaged in the COVID-19 response efforts as well as Canadian universities that are conducting COVID-19 research, the report notes.
The campaign, which took place March 24-26, used phishing emails sent from a spoofed address designed to resemble the World Health Organization, Unit 42 notes. The messages contained a malicious attachment that, if opened, could have infected devices with the ransomware.
The other campaign involved sending spam in an attempt to spread AgentTesla, an information stealer. This malware, which was first spotted in 2014, has proven popular with business email compromise fraudsters, researchers note.
This campaign targeted healthcare organizations and research facilities in Japan, an unidentified U.S. defense research organization, a Turkish government agency as well as other technology and communications firms in Canada, Germany and the U.K., Unit 42 notes.
The analysis found that the attackers sent the phishing emails from a fake address: firstname.lastname@example.org. These messages included a malicious attached document disguised as a notice to COVID-19 equipment suppliers.
An unidentified Palo Alto Networks customer received one of these malicious messages on March 17, the report notes.
Lack of Sophistication
Both campaigns used relatively basic phishing tactics, the researchers say.
In the ransomware campaign, for example, the attackers used phishing emails to send malicious macros in rich text format. Once a victim opened the attached file, the attackers exploited CVE-2012-0158 – a remote code execution flaw in Widows devices – to deliver the payload, the report says.
But the attackers’ phishing tactics were sloppy, researchers say.
Recent ransomware note from a COVID-19 phishing attack (Source: Palo Alto Networks)
“It is interesting to note that even though the file name clearly references a specific date (March 23, 2020), the file name was not updated over the course of the campaign to reflect current dates,” the report notes. “It is also interesting that the malware authors did not attempt to make their lures appear legitimate in any way; it is clear from the first page of the document that something is amiss.”
If a victim ran the ransomware code, certain files would have been encrypted and a ransom note demanding a payment of 0.35 bitcoin ($2,350) would have been downloaded, according to the report.
“The silver lining is that these campaigns were not sophisticated by any means, and these are a classic example of an attacker merely attempting to take advantage of people’s curiosity toward any particular topic that is popular at a given time,” McCabe says.
Uptick in Phishing Email
Earlier this month, security agencies in the U.K. and U.S. warned about ongoing cybercrime campaigns tied to COVID-19 themes (see: UK and US Security Agencies Sound COVID-19 Threat Alert).
Other reports have noted that ransomware gangs are still targeting hospitals and healthcare organizations during the pandemic (see: No COVID-19 Respite: Ransomware Keeps Pummeling Healthcare).