{"id":16776,"date":"2020-03-11T14:15:44","date_gmt":"2020-03-11T18:15:44","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=16776"},"modified":"2022-10-14T18:26:52","modified_gmt":"2022-10-14T22:26:52","slug":"hackers-are-using-coronavirus-phishing-to-target-workers","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/hackers-are-using-coronavirus-phishing-to-target-workers.html","title":{"rendered":"Hackers are using CoronaVirus Phishing to Target Workers"},"content":{"rendered":"\n

Hackers are constantly looking to use relevant information as a way to get unsuspecting people to click on their phishing messages. Since the WHO classified the COVID-19 CoronaVirus as a pandemic today, the number of emails relating to the topic is expected to grow even further. Messages will pertain to canceled business, sporting and social events.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

These will be mixed in user inboxes with malicious messages\nhoping for a click.<\/p>\n\n\n\n

Cybersecurity<\/a>\nleader RiskIQ<\/a>\nreleased a report regarding the new threats to be on the lookout for. You may\nrecall the company recently put out a report which we covered: Latest\nMobile Threats Include Adware, Tax Scams, Fleeceware and Black Friday Scams<\/a><\/strong><\/p>\n\n\n\n

Here is what you need to know about this new report:<\/p>\n\n\n\n

Current Malware Phishing Operations<\/strong><\/p>\n\n\n\n

AZORult<\/strong><\/em><\/p>\n\n\n\n

As early as late January 2020, malware distributors launched\na campaign<\/a>\nwith phishing emails that targeted companies whose supply chain operations and\nrevenue streams the outbreak could disrupt. The targeted businesses came from a\nvariety of sectors, including manufacturing, industrial, finance,\ntransportation, pharmaceutical, and cosmetics. <\/p>\n\n\n\n

The perpetrators have been sending emails with malicious\nMicrosoft Word documents attached. The attachments install the AZORult<\/a>\nmalware, a credential and payment card information-stealer. Attackers have used\nAZORult via an exploit for CVE-2017-11882<\/a>,\nwhich is a remote code execution flaw in Microsoft Equation Editor. When\nexploited successfully, the flaw allows attackers to execute remote code on a\nvulnerable machine once the malicious document is opened\u2014even without user\ninteraction.<\/p>\n\n\n\n

(We have been unable to identify the cybercriminals behind\nthe AZORult phishing campaign, but our initial suspicion is that they are based\nin Russia or Eastern Europe because this is where this particular malware is\nmost commonly bought\nand sold<\/a>.)<\/p>\n\n\n\n

Emotet<\/strong><\/em><\/p>\n\n\n\n

Similarly, in Japan, phishing scams<\/a>\nare spreading the Emotet Trojan by using malicious messages that purport to\ncontain information about coronavirus. This scam capitalizes on a user’s desire\nto learn more about the coronavirus threat. Included in the emails are\nMicrosoft Office attachments that use malicious macros to infect recipients\nwith Emotet. <\/p>\n\n\n\n

Security researchers first identified the Emotet Trojan<\/a> in 2014 when it\nwas deployed against the financial sector. Emotet uses functionality that helps\nthe software evade detection by some anti-malware products. It also has\nworm-like capabilities that help it spread to other connected computers. This\nfunctionality has led the Department of Homeland Security to conclude Emotet is\none of the most costly and destructive pieces of malware, affecting government\nand private sectors as well as individuals and organizations. <\/p>\n\n\n\n

In 2019, cybercriminals made Emotet even more dangerous by updating<\/a>\nits attack methods with the ability to send victims emails from past messages,\nsteal credentials from its victims to send outbound messages, and hijack victims’\nemail accounts. These techniques make it easier for hackers to trick users into\nthinking they are responding to a legitimate email.<\/p>\n\n\n\n

Social Engineering<\/strong><\/em><\/p>\n\n\n\n

Another campaign<\/a>\ncybercriminals are having success with capitalizes on conspiracy theories\nclaiming the existence of “unreleased cures” being kept from the\npublic. While these attacks initially targeted people in the United States and\nJapan, there is some evidence the perpetrators are now targeting Australia and\nItaly. The email urges recipients to click on an embedded link to receive\ninformation about the “cure.” The link then leads users to a fake\nDocuSign page where they’re encouraged to share personal credentials to receive\nthe information.<\/p>\n\n\n\n

Beware of Fake Domains<\/strong><\/p>\n\n\n\n

Some phishing<\/a>\ncampaigns are incorporating fake domains designed to look like the U.S. Centers\nfor Disease Control and Prevention (CDC) and the WHO. These fake domains<\/a>,\ne.g., cdcgov.org or cdc.gov.org., are sent via phishing emails and appear to\ncome from the CDC (CDC’s legitimate site is cdc.gov.). The emails urge victims\nto click on a link to download a document on health and safety measures\nregarding the spreading of coronavirus. Victims believe the link is taking them\nto the CDC website, but it redirects them to a fake site that looks like a\nMicrosoft Outlook login page. Here, victims are asked to enter their username\nand password. <\/p>\n\n\n\n

Cybercriminals are using a similar method with fake WHO\ncredentials. In these cases, if users click the link in the email, they are led\nto a webpage that looks similar to the WHO website. However, this fake site\ncontains a popup screen asking them to verify the username and password\nassociated with their email address. As with the phony CDC website scam, if\nsomeone enters their credentials, the information is sent to the attackers.<\/p>\n\n\n\n

Same Old Health Scare Playbook <\/strong><\/p>\n\n\n\n

Many of the attack methods cybercriminals are using have\nbeen deployed during previous international health scares. The only significant\ndifference is the improvements they have made to their attack tools.<\/p>\n\n\n\n

Influenza Pandemic (2019): Cybercriminals conducted a\nmalspam campaign that pretended to be from the Centers for Disease Control and\nPrevention (CDC) about a new flu pandemic. The emails contained a malicious\nattachment that, when opened, installed the GandCrab v5.2 Ransomware on the\ntarget’s computer (GandCrab fell out of favor in 2019, but was possibly\nreplaced by Sodinokibi\/REval<\/a>\nransomware.).<\/p>\n\n\n\n

Zika Virus (2016): Researchers discovered an email\npurporting to be from Sa\u00fade Curiosa, a health and wellness website in Brazil.\nWithin the email were links and attachments claiming to be instructions on how\nto eliminate the virus and the mosquitoes that spread it\u2014one of the links,\nwhich infected computers with a form of malware called JS.Downloader was\nclicked more than 1,500 times. JS.Downloader<\/a>\nremains in use by attackers.<\/p>\n\n\n\n

Ebola Outbreak (2014): <\/strong><\/p>\n\n\n\n

Cybercriminals sent emails with an attached report on Ebola.\nUsers who clicked on the report activated Trojan.Zbot<\/a> (a.k.a\nZeus) malware.  <\/p>\n\n\n\n

Cybercriminals sent emails posing as a well-known telecom\nand ISP and offered a presentation on the Ebola virus. The email came with a\nzip file that installed Trojan.Blueso<\/a>\nmalware.<\/p>\n\n\n\n

Cybercriminals sent an email which claimed a cure for Ebola\nhad been discovered and that the news should be covering it. Users who clicked\non the link in the email were infected with Backdoor.Breut<\/a>\nmalware. <\/p>\n\n\n\n

While none of these older malware formats appear to be a\nsignificant threat to organizations today, cybercriminals continue to deploy\nsimilar or updated versions.<\/p>\n\n\n\n

AIDS Virus (1989)<\/strong><\/p>\n\n\n\n

The first known healthcare-focused ransomware attack\ntargeted AIDS researchers in 1989 and was called the\n\u201cAIDS virus.\u201d<\/a> This virus came on a floppy disk and scrambled the contents\nof its victims\u2019 computers by encrypting filenames and offering to unlock them\nin return for a \u201clicensing fee\u201d would be transferred to an offshore bank\naccount. Today, modern ransomware is produced by hackers who have benefited\nfrom decades of virus development and who take advantage of industry-standard\ncryptography to attack their targets.<\/p>\n\n\n\n

Expect Ransomware Attacks Next <\/strong><\/p>\n\n\n\n

In the past, AZORult has been used to download ransomware as\na secondary infection. In 2018, cybercriminals used AZORult in a massive email\ncampaign to distribute Hermes ransomware. In this case, the victims first lost\ntheir credentials, cryptocurrency wallets, and more before losing access to\ntheir files in the subsequent ransomware attack. That same year researchers\ndiscovered a new AZORult variant<\/a>\ntargeting computers around the world. Those infected had the Aurora ransomware\ninstalled as well as the information-stealing Trojan. Likewise, in 2019, the STOP\nransomware<\/a> family was deployed in conjunction with AZORult.<\/p>\n\n\n\n

The Emotet Trojan has also been used in conjunction with\nransomware. In 2019, Emotet was found to have partnered<\/a>\nwith TrickBot and Ryuk ransomware. This malware combo adapts Emotet to drop\nTrickBot and modifies TrickBot not only to steal data but also to download the\nRyuk ransomware, which encrypts the machine. In this campaign<\/a>,\nthe attacker can take personal information, passwords, mail files, browser\ndata, registry keys, and more, before encrypting the victim’s machine and\nransoming their data. <\/p>\n\n\n\n

Consequently, RiskIQ assesses with a moderate-high level of\nconfidence cybercriminals will follow a pattern we’ve seen before. We expect\nthey will conduct layered attack campaigns similar to those of the recent past.\nAnd with a large pool of institutions, organizations, and individuals to\ntarget, they can be confident of success. Company executives, mid-level\nmanagers, administrators of local governments, and, of course, healthcare\nprofessionals all have a professional interest in following the latest\ndevelopments around the spread of coronavirus. And it only takes one tired or\noverworked individual to click on what he or she believes is a legitimate alert\nor update.<\/p>\n\n\n\n

Mitigating Your Risk<\/strong><\/p>\n\n\n\n