Following the latest developments of the emergence of the novel coronavirus disease 2019 (COVID-19) which has brought disruptive changes in our daily lives and chaos throughout the three-sector economic model – primary (raw materials), secondary (manufacturing), tertiary (services), unfortunately we are observing an increasing risk on cybersecurity threats related to COVID-19.
In particular, Obrela Security Industries (OSI) observed an extensive list of newly registered COVID-19-related domains and a surge of highly sophisticated, crafted COVID-19 themed phishing emails. Bad actors are using these techniques and are trying to lure victims into reacting on these phishing emails by promising that email attachments and links contain information about COVID-19.
Key Findings
Malicious entities in their effort to increase their credibility, will often impersonate trusted and reputable organizations, such as the World Health Organization, in order to get users to open attachments or click on malicious links.
Existing phishing campaigns which are capitalizing on the coronavirus panic, can serve as template and adjusted accordingly in order to target specific groups (countries, industries, individuals).
The number of newly registered domains related to coronavirus has increased since the outbreak of the virus. This is a clear indication that cybercriminals are setting up their infrastructure to support malicious activities.
What to do to protect your business
Below are some tips that can help you defend against the above real-world cyber-attacks and reduce the risk of infection via botnet spam:
- All emails with Coronavirus-themes and attachments should be treated with caution, even if they don’t appear to be directly health-related. Cybercriminals are taking advantage of fears surrounding the Coronavirus
- Be vigilant about phishing emails, raise the cyber security awareness of the employees and continuously measure the effectiveness of the output. Educate and inform the employees regarding the dangers associated with opening attachments on unusual emails. Consider implementing a training program to improve the employees’ awareness of cyber security and improve their ability to spot and report suspicious emails
- Review, update and implement the organization-wide patch management life-cycle process. Determine the priority of the patches and schedule the patches for deployment. Ensure that patches are deployed in a timely manner
- Have an incident response plan in place to mitigate the risks of being a victim of the latest cyber-attacks. An incident response plan helps ensure an orderly, fast and effective response to cybersecurity incidents. It is crucial for your team to quickly escalate, contain and recover from security incidents before further damage can take place
- Segregate networks to isolate critical infrastructure and assets from potential threats and limit the malware’s ability to spread
- Install security updates as soon as they become available in order to fix exploitable vulnerabilities in your products. Make sure that critical security point solutions, deployed throughout your environment like endpoint detection and response (EDR) and anti-virus solutions, are always up to date
- Use two-factor authentication, wherever possible, to authenticate users so that if malware steals credentials, they can’t be reused
- Practice the principle of least privilege for file, directory, and network share permissions. Do not provide users with any more privileges than are strictly necessary
- Utilize deployed email content scanning solutions with email content filters and dynamic email analysis sandboxing capabilities in order to prevent malicious content from reaching users and reduce the likelihood of compromise
- Review the use of macros within your environment. Disable macro scripts from Office files transmitted via email and where possible, it is recommended to block macros from the internet and only allow macros to execute from trusted locations and after approval has been given from personnel whose role is to vet and approve macros
- Practice good cyber hygiene. It is a fundamental requirement of risk mitigation and helps your organization protect valuable and sensitive information
- Implement application whitelisting using software restriction policies and controls. The goal is to better control the process of application deployment and ensure that only essential and approved applications are running on a machine
- Employ best practices for securing Remote Desktop Connections. Properly securing your remote desktop connections is vital because of the capabilities and the extensive use of the remote desktop solution. Use strong passwords, don’t save login credentials in your RDP files, limit administrators who don’t need RDP, use lockout policies are some of the necessary steps you should take in order to improve the security of remote desktop connections
- Continuously monitor your environment and act when necessary. Advanced Managed Detection and Response (MDR) service’s capabilities provide a holistic approach in dealing with a wide variety of cyber security threats. OSI MDR services can proactively and effectively help your organization throughout the entire life cycle of the incident management process, in order to resolve the incident as quickly as possible and with the least impact on businesses processes.
Active campaigns:
OSI detected that an increasing number of actors and malware are employing the above-mentioned techniques. An indicative list of active campaigns can be found below:
Trickbot campaign
Targets coronavirus outbreak and fears in Italy. Specially crafted spam email, written in Italian, and targeting Italian e-mail addresses. The e-mail contains a Word document purported to be a list of precautions measures. But the reality is that the enclosed file is a weaponized Microsoft Word document which contains a Visual Basic for Applications (VBA) script that carries a dropper used to deliver a new Trickbot variant.
Latest Indicators of Compromise (IOCs)
- Network indicators (URL/IP)
hxxps://185[.]234.73.125/wMB03o/Wx9u79.php
23[.]19.227.235
- File hashes
dd7023dd82b641c9307566b87acf0951f16b27c34094a341fa1fe7671d269bf4
58e918466a61740abe42a2d1ca29bd8d56daf53912e6d65879cbe944466fb80c
8e3240a2a6b07ae8a6fde884c0e18e476ca3e92438022fe1a1ad4b2ba2334737
Emotet campaign
Emotet is an advanced, self-propagating Trojan. It was originally targeting organizations and companies in the banking and finance sector. Nowadays, the Emotet malicious malware is spreading via coronavirus-themed spam emails. There were identified cases of spam campaigns targeting users in Japan that employ the coronavirus scare as a lure to trigger people to open malicious emails. The text content of the phishing email is written in Japanese and the e-mail contains Microsoft Office files which are weaponized with macros that, when run, would deliver a variant of the Emotet Trojan.
Latest Indicators of Compromise (IOCs)
- Emotet is so destructive and pervasive that there is a Twitter feed (here) updating the security community on the latest Emotet IoCs on a daily basis
AZORult trojan
It is a coronavirus-themed email attack which is targeting the shipping industry by leveraging the concerns and fears over COVID-19 and its impact on global shipping industry. AZORult is an information-stealing trojan which exfiltrates sensitive data from a compromised system and can steal browsing history, cookies, ID/passwords, cryptocurrency and more. In addition, there is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections. The malicious e-mail contains a weaponized Microsoft Word document which exploits the CVE-2017-11882 vulnerability. Once the attachment is opened the AZORult trojan is installed on the compromised system. According to our research, the malicious emails are originating from groups in Russia and Eastern Europe.
Latest Indicators of Compromise (IOCs)
- Network indicators (URL/IP)
http://gdrintl[.]com/lead/p[.]exe
http://77[.]68.114.124/index.php
http://212.227.164.164/index[.]php
http://212[.]227.164.228/index[.]php
http://gdrintl[.]com/lead/dyk.exe
http://gdrintl.com/lead/fine%20boy[.]exe
http://gdrintl.com/lead/allofus[.]exe
http://77.68.115.33/index[.]php
http://gdrintl.com/lead/slim[.]exe
- File hashes
7e71eda28ecca392d6e86a9004c3bd38c7cbdf79399e90742feac5fa066aba66 a6abe3b046e8bdcfb33fa9776195fbb89a3e4218f6bb281aedd15f28fe1f4818 bad303ab4b68379128469e3be92d5bf3b23ec7bb285a260b1fadeead3fe43bbf bc55f494359805cc4d89f6812c3a1a14d593d9ead82267dcae7029dcbddebcab be2201940b246ae89cae4f6d0a691a1092289868230f1da85f9142d180709744
681297a82e85822a1cb5a58296a515151f417bb8aafe5d4505d2219b4fe61438 70576eb8cd35093b1ef56da7fb39bf88f32c57f410484d613b5028cecbb1b0df
f34e64f4e7be7e6b2c665700ec513b4783e570a4de2087ac9511f152d812b2f5 f4b4158338fe30016fb7034b70bc3babcee3be21ea5c214451d83e3cb31233d8
In addition to the above technique to spread the AZORult trojan, security researchers have identified and reported that malicious actors have developed an alternative technique in order to successfully spread and deliver the AZORult trojan – a weaponized coronavirus map similar to the original Johns Hopkins University coronavirus map.
Latest Indicators of Compromise (IOCs)
- Network indicators (URL/IP)
Coronavirusstatus[.]space/index.php
api.telegram.org
ipapi.co/json
ocsp.digicert[.]com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
gisanddata.maps.arcgis[.]com
https://js.arcgis.com/3.31/dijit/form/_ListBase[.]js
https://js.arcgis.com/3.31/dijit/form/MappedTextBox[.]js
104.24[.]103.192:80
149.154[.]167.220:443
104.26[.]9.44:443
93.184[.]220.29:80
18.205[.]183.153:443
54.192[.]87.49:443
- File hashes
0b3e7faa3ad28853bb2b2ef188b310a67663a96544076cd71c32ac088f9af74d
2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307
126569286f8a4caeeaba372c0bdba93a9b0639beaad9c250b8223f8ecc1e8040
203c7e843936469ecf0f5dec989d690b0c770f803e46062ad0a9885a1105a2b8
13c0165703482dd521e1c1185838a6a12ed5e980e7951a130444cf2feed1102e
Fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8
Lokibot trojan
Coronavirus-themed malicious spam campaign, targeting users in China. The malicious spam campaign claimed to be from the Ministry of Health of the People’s Republic of China. The phishing e-mail contains a malicious .arj file (Windows RAR archive file), purported to be a list of precautions measures. Once the victim opens the attachment, it results in a Lokibot trojan infection. Lokibot has keylogging capabilities for stealing sensitive personal information.
Latest Indicators of Compromise (IOCs)
- Lokibot is most commonly seen to send a POST request to <DOMAIN>/subdir/subdir1/../fre[.]php, although other less-common patterns have also been observed in the wild (e.g. <DOMAIN>/subdir/subdir1/cat[.]php)
- Network indicators (URL/IP)
http://kbfvzoboss[.]bid/alien/fre.php
http://109.169.89.118/bgbb/vbc[.]exe
http://seacrafts[.]ru/presh2/Panel/fre.php
198.23.200[.]241
http://mastervisacloudesystemprtomicrosftwareus[.]duckdns.org/bgbb/vbc.exe
http://23.95.132.48/~main/[.]isuoxiso/w.php/lSeKTE1ZsfI3A
http://chneswealstdy8thandorganisationjokbo.duckdns[.]org/secure/svchost.exe
http://posqit.net/vcv/120131078[.]exe
http://bibpap.com/ed/pin[.]php
http://bibpap.com/amb/pin[.]php
http://didxbooks.com/3yt00/pin[.]php
http://posqit.net/vcv/306517[.]exe
- File hashes
c93abb57b2b669f8e9a8b4695fe865aea3f0c0e74deafa99e805900b110552e1
385bbd6916c88636a1a4f6a659cf3ce647777212ebc82f0c9a82dc4aea6b7c06
17d54bca1bd7c11beecfc77b25e966b745b9cf281f2c1c88c99a83f807aec335
Agent Tesla
It is an advanced RAT malware that has keylogging capabilities for stealing email credentials and passwords from browsers. The threat actors have impersonated the World Health Organization (WHO) and have sent out malicious email messages using the subject line “Attention: List Of Companies Affected With Coronavirus March 02, 2020.” that contained a malicious attachment that dropped the Agent Tesla Keylogger. The phishing e-mail contains a malicious attachment which is labeled as “SAFETY PRECAUTIONS” and has a .exe extension. The icon of the executable is a Microsoft Office Excel file, and intends to trick the end user into believing that the attachment is indeed an Excel document.
Latest Indicators of Compromise (IOCs)
- Network indicators (URL/IP)
Postmaster[@]mallinckrodt[.]xyz
brentpaul403[@]yandex[.]ru
hxxps://healing-yui223.com/cd[.]php
hxxps://www.schooluniformtrading[.]com[.]au/cdcgov/files/
hxxps://onthefx[.]com/cd[.]php
hxxps://urbanandruraldesign[.]com[.]au/cdcgov/files
hxxps://gocycle[.]com[.]au/cdcgov/files/
150[.]95[.]52[.]104
118[.]127[.]3[.]247
153[.]120[.]181[.]196
112[.]140[.]180[.]26
13[.]239[.]26[.]132
- File hashes
05adf4a08f16776ee0b1c271713a7880
ef07feae7c00a550f97ed4824862c459
- YARA Rules
PM_Intel_AgentTesla_36802