Threat actors are currently spreading malicious
Coronavirus themed health advisories via email which, when opened, deploy a
Remote Administration Tool (RAT) onto the systems of targets. This phishing
campaign has been traced back to APT36, a Pakistan-based group notable for
targeting Indian defense and government entities. Researchers at Malwarebytes
Labs’ Threat Intelligence Team note that the emails attempt to impersonate
Indian government officials and target residents of India. Once the payload is on the
target’s system, the threat actors have full control of that machine. However,
this is not the only group attempting to exploit COVID-19 to infect potential
targets.
Researchers
have observed nation-state actors from China, North Korea, and Russia attempting to exploit the coronavirus to spread their malware. In February, Russian hackers carried out a phishing campaign in which they hid a backdoor trojan in a document containing news on COVID-19. They then sent these
malicious documents to Ukrainian officials, claiming to be from the Ukraine
Center for Public Health. Toward the end of February, researchers have ob-
served North Korea using similar tactics to other nation states. Researchers
found that a group of North Korean hackers was sending South Korean officials
malware-infested documents disguised as COVID-19 response information. Re-
searchers also found that Chinese hackers were targeting both the Vietnamese and
Mongolian governments using malicious attachments. However, not all COVID-19
themed attacks are happening outside of the United States. Researchers at
Cofense discovered a phishing campaign targeting U.S. citizens, which claimed
to be an email from the Center for Disease Control.
The email differs from the attacks previously mentioned in that it
does not contain a document attached to it. Instead, the email tells the
recipient that a high-risk person is being monitored in their city. The email
then provides a fake link to the CDC’s website with more information. The user
is redirected to a fake Microsoft login page where, if entered, the user’s
credentials are harvested.
Staying safe during this time not only includes
practicing proper hygiene and social distancing measures but employing proper
cybersecurity awareness. Epidemics and natural disasters are, unfortunately,
frequently capitalized on by bad actors. When people are desperate for news, an
email claiming to be from your government’s health department can be quite
convincing. As always, be wary of unsolicited emails containing documents and
links. When in doubt of an email’s authenticity, it is best to exercise caution
and not to click links or download documents contained within the email.
Sources:
· https://www.bleepingcomputer.com/news/security/nation-backed-hackers-spread-crimson-rat-via-coronavirus-phishing/
https://cofense.com/threat-actors-capitalize-global-concern-coronavirus-new-phishing-campaigns/
