Group-IB experts found out which malware most often exploits the COVID-19 theme in its phishing mailings. Almost 65% of the malicious emails intercepted by experts carried “spyware” on board, and the AgentTesla Trojan headed the TOP-3 of the most actively exploited spyware during the coronavirus pandemic, followed by NetWire and LokiBot.
Meanwhile, in the underground, opinions about the exploitation of the current agenda divided: some of the attackers are trying to make money on the topic of COVID-19, offering promotions for their services, while other representatives of the darknet condemn such campaigns.Between February 13 and April 1, 2020, experts at the Information Security Incident Response Center (CERT-GIB) analyzed hundreds of phishing emails masked as information and commercial mailings about COVID-19.
Phishing emails contained various types of spyware in the attachment. Spyware turned out to be the most popular – 65%, backdoors – 31% are on the second place, about 4% fall on encryptors”, – say the researchers.
As for spyware, the most widely cybercriminals used AgentTesla (45%), NetWire (30%) and LokiBot (8%) Trojans.
Fake letters were written in English on behalf of authoritative international organizations related to health (WHO, UNICEF), as well as large international companies. Newsletters were sent to both the commercial and public sector employees in Eastern Europe.
Researchers give some examples:
On March 16, CERT-GIB recorded a new malicious mail allegedly on behalf of an employee of UNICEF, an international organization operating under the auspices of the UN. The recipient was asked to download the application to receive updates on the situation with COVID-19 and recommendations on how to protect its employees from this virus. To the fake email was attached an archive that contained Netwire, a trojan combining the functionality of a program to steal login passwords and a keylogger.
On March 27 and 28, CERT-GIB recorded two waves of HawkEye spyware with the Free face Mask theme. The letter was sent allegedly from the manager of a Chinese company – GALAXY ELECTRONIC INDUSTRIAL, and the recipients were Russian companies, including those from the energy sector. The letter said that the Chinese company allegedly launched a factory for the production of protective masks – there is an idea to start a joint business, you need to look at the certification of products in the attachment. Inside was the Mask 2020.rar RAR archive with the malicious executable Mask 2020.exe and a spyware program from the HawkEye family (aka HawkSpy).
On March 27, CERT-GIB recorded two encryptor mailings from oil and gas companies – more than 70 addresses were in the recipient list. Letters sent allegedly on behalf of Apteka.ru company and contained a presentation of “the best preventive measures for affordable price” under the heading “We give away the vaccine against coronavirus!” In addition, the sender of the letter offered the sale of anti-infective masks in any quantities. The letter contained a link to a web resource, from which was downloaded the ZIP archive with a malicious file inside – an updated version of the Aurora ransomware.
Although the percentage of phishing emails that parasitize on the topic of COVID-19 was generally low and accounted about 5% of all malicious traffic, attackers at hacker forums seek to use panic to boost their sales of malware.
For example, since February, a Java downloader, masked as an interactive distribution map of COVID-19 has been sold on the underground forum. The main route of infection is through regular phishing, and it assures the seller that it bypasses Gmail’s protection by using legitimate file extensions”, – say the researchers.
After infection, to the user is opened a map with current data from WHO and Johns Hopkins University, and any payload, for example, a malicious program for data theft, is loaded in parallel. Later – in March – researchers recorded such mailings with the AZORult stealer.
In addition, on underground sites experts recorded more than 500 ads with discounts and promotional codes for the period of the pandemic for DDoS services, spam mailings, and so on.
Because many companies have transferred their employees to remote work amid the threat of coronavirus, Group-IB experts predict an increase in the number of cyberattacks on computers, equipment (routers, video cameras) and insecure home networks.
Since the home network is not protected by the information security department of your company, attackers primarily may attack users on a remote site to get to the company’s infrastructure. At risk are employees of financial institutions, telecom operators and IT companies, and the goal of cyberattacks will be not only the theft of money or personal data, but penetration of the corporate infrastructure through the victim’s personal computer”, — says the CERT-GIB representative.
However, not all underground representatives are trying to make money on the news agenda related to the pandemic. Some of them condemn the exploitation of coronavirus topics in malicious campaigns:
Let me remind you that earlier we talked about the fact that the groups, owning the cryptographers DoppelPaymer and Maze promised to stop activity with respect to any medical organizations and institutions until the end of the pandemic. DoppelPaymer operators even promised to decrypt the data free if the attack accidentally affects doctors. However, Maze soon violated their Robin Hood regime.
