Attackers Continues to use Coronavirus as Malware Lure

Attackers have continued to use the Coronavirus outbreak as a lure for malware implantation and other iniquitous actions.
FortiGuard Labs has released a report detailing some of the different campaigns they have observed being employed in various geographies.

Preying on the element of human curiosity is one of the most used techniques in order gain the confidence of, and subsequently attack, those looking for updated information on a global issue.
As news of increasing numbers of affected countries continues in the media, attackers are using these escalating fears to provide incorrect information and potentially deliver malware to victims.

During the initial public reporting on the virus, attackers used several different types of malware to gather information, infiltrate networks, and spoof legitimate organizations, such as the WHO, to perpetuate their end goals.
As previously reported, malware campaigns using Emotet, Remcos RAT, and Lokibot have been discovered through analysis of various types of emails.

The latest campaign is targeting Italy, using official looking emails claiming to be from the WHO, even going so far as to using the official WHO logo.
Trickbot has been observed in the wild as attachments to emails purporting to be from legitimate sources with information about the Coronavirus.

In the current attacks targeting Italy, a spearphishing email is being circulated with an infected Word document which uses a similarly named document scheme.
The email urges the recipient to open the document to receive critical information and further guidance.
Should the reader open the document and enable macros, connections to two URIs are attempted.
Additionally, more than 9000 lines of obfuscated JavaScript is embedded in the document.

The TTPs used in this campaign suggest the actors behind it are same actors behind Trickbot.
Finally, an email using the FedEx logo and containing information on possible delays for deliveries due to the effects of the Coronavirus contains what appears to be a PDF file.
It is actually an executable file that infects the victim with the Lokibot Infostealer which exfiltrates data to a URL

Please click on contact us and test if you are exposed to such threats today

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment