Threat actors are currently spreading malicious Coronavirus themed health advisories via email which, when opened, deploy a Remote Administration Tool (RAT) onto the systems of targets. This phishing campaign has been traced back to APT36, a Pakistan-based group notable for targeting Indian defense and government entities. Researchers at Malwarebytes Labs’ Threat Intelligence Team note that the emails attempt to impersonate Indian government officials and target residents of India. Once the payload is on the target’s system, the threat actors have full control of that machine. However, this is not the only group attempting to exploit COVID-19 to infect potential targets.
Researchers have observed nation-state actors from China, North Korea, and Russia attempting to exploit the coronavirus to spread their malware. In February, Russian hackers carried out a phishing campaign in which they hid a backdoor trojan in a document containing news on COVID-19. They then sent these malicious documents to Ukrainian officials, claiming to be from the Ukraine Center for Public Health. Toward the end of February, researchers have ob- served North Korea using similar tactics to other nation states. Researchers found that a group of North Korean hackers was sending South Korean officials malware-infested documents disguised as COVID-19 response information. Re- searchers also found that Chinese hackers were targeting both the Vietnamese and Mongolian governments using malicious attachments. However, not all COVID-19 themed attacks are happening outside of the United States. Researchers at Cofense discovered a phishing campaign targeting U.S. citizens, which claimed to be an email from the Center for Disease Control.
The email differs from the attacks previously mentioned in that it does not contain a document attached to it. Instead, the email tells the recipient that a high-risk person is being monitored in their city. The email then provides a fake link to the CDC’s website with more information. The user is redirected to a fake Microsoft login page where, if entered, the user’s credentials are harvested.
Staying safe during this time not only includes practicing proper hygiene and social distancing measures but employing proper cybersecurity awareness. Epidemics and natural disasters are, unfortunately, frequently capitalized on by bad actors. When people are desperate for news, an email claiming to be from your government’s health department can be quite convincing. As always, be wary of unsolicited emails containing documents and links. When in doubt of an email’s authenticity, it is best to exercise caution and not to click links or download documents contained within the email.