COVID-19 Malspam Activity Ramps Up
Back in February, we reported on two Coronavirus-themed phishing emails. But just as the real virus spreads rapidly around the world, so too have the scams. Cyber criminals, proving beyond doubt they are completely devoid of morals, have ramped up their activities, unashamedly using all manner of Coronavirus lures to trick people. We are now seeing dozens of different email campaigns per day. Below are samples collected from our systems that some of what is currently out there.
Sample 1: Coronavirus: Informazioni important su precauzioni
This email is in Italian, directed at a country worst hit by the virus to date.
The Google translation is roughly as follows:
Important information on precautions
Dear Sir / Madam, Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!
Best regards
The attachment is a DOCX Word document “f21203392637.doc” which contains a macro, which when executed leads to malware being dropped onto the system, firstly C:\MyImages\presskey.cmd, which is a simple loader for C:\MyImages\presskey.jse. This malware is known as OSTAP and functions to download the notorious Trickbot, a modular information stealer.
IOCs
File: f21203392637.doc
MD5: 27364e982d6e312cabc4761146c6232a
SHA1: 9569fd971a91da00697df887d1b5ca2054c9f7bc
File: presskey.jse
MD5: c2b60205f820384deb77b031cbd9bbc3
SHA1: 63e853ed3a6332cbbb2e105d23e3b6be2452de1d
File: presskey.cmd
MD5: 7d71ae4c172bf8b3066c695d933293de
SHA1: 04f1cfcd27dfbce7e0ba60c10099e1d6fb4c88e7
Sample 2: W.H.O. CORONAVIRUS SAFETY & PREVENTIVE MEASURES
This email, purporting to be from the World Health Organization, urges users to check the attachment for “health and preparedness steps”. The attachment is a RAR archive, containing an executable which is Hawkeye, a keylogger and information stealer.
IOCs
File: WORLD HEALTH ORGANIZATION_PDF.gz (RAR Archive)
MD5: 78faa018586fdf4687514b612948d5a2
SHA1: 506c5f70924d1e4402b520efe47fcea26b8b6c59
File: WORLD HEALTH ORGANIZATION_PDF.exe
MD5: 34605433544389bfeaf0e04aa02d9bd8
SHA1: 417553ee661efb459276135ba8be80dbbbed2466
Sample 3: Coronavirus disease (COVID-19) outbreak prevention and cure update.
Another sample purporting to be from the WHO, which states it has information on “common drugs to take for prevention and fast cure”. Of course, there are attachments to view, both of which are archives, a RAR and a ZIP, and both contain an executable, which is also Hawkeye.
IOCs
FILE: Coronavirus Disease (COVID-19) CURE.zip
MD5: 534c585c20e1b23184f2130375ce500a
SHA1: e0c77de771522382d7bfb14eef76c948156a86c2
FILE: Coronavirus Disease (COVID-19) CURE.rar
MD5: c00499a62e7b03f7ea5ce269351bbe40
SHA1: 8bf18554535e013ed27c1eb4f695a37ecb50524f
FILE: Coronavirus Disease (COVID-19) CURE.exe
MD5: 8983fb4725e345acb1f8daf425a7abe7
SHA1: 129ee2d1d260ea67b4f820e126329004088bb3a8
Sample 4: Supplier-Face Mask
This email claims to be from a manufacturer of face masks that has “started mass production’, and that “demand exceeds supply”. The attachment “Face Mask Quote” contains an executable which is none other than Agent Tesla, a common and readily available keylogging and info-stealing RAT.
Agent Tesla likes to harvest credentials from browsers and other applications and exfiltrate that data via SMTP. To give you an idea of the kind of data that is captured, see the screenshot below:
IOCs
File: Face Mask Quote.zip
MD5: 2fe1dc441bb92eb91abe0c6b6e94b1c9
SHA1: 58e8a9cc00d76802e02a7fac207d894d62d5e818
File: Face Mask Quote.exe
MD5: c5f220a7ac314a7570d827d4b72a1bfb
SHA1: 9649f2902f36e2708f4870bf4aa84c1b75e19aad
Sample 5: WHO Donate Now
Unlike the others, this email does not contain malware. Again it purports to be from the WHO, and merely asks you for bitcoins to support the cause. At the time of writing, this bitcoin wallet did not have any transactions against it, so hopefully, the campaign was a FAIL for the bad guys.
Sample 6: Covid -19 Temporary Suspension of Activities
This email, interestingly from ‘thewho.com’ is badly written and claims:
“Here enclosed official statement on the current situations Globally. See attached upon reviews and Temporary suspension of activities.”
The email has an HTML attachment (as opposed to the HTML message body) WHO-COVID-19 Updates.pdf.HTM which contains php code that retrieves HTML content and crudely attempts to harvest email address and password credentials – in a completely untargeted way.
IOCs
FILE: WHO-COVID-19 Updates .pdf.HTM
MD5: 6b919c935b78a946608fe03576a67abf
SHA1: 739f0cb4308fb9b2a03e19338f32b9cb506489e7
Sample 7: Transfer Copy
This email claims to be from a supplier in China that, due to Coronavirus, has had delays in releasing payments. The attachment ‘Trnasfer_copy.pdf.z’ is a RAR archive that contains an executable, that is Agent Tesla.
IOCs
File: Trnasfer_copy.pdf.z (RAR archive)
MD5: 861a3c1efda0a3ae06a9f1fe5dec40ff
SHA1: da32b1b853dcde26d3eb18d7e96505bfe9a7f9eb
File: Trnasfer_copy.bat (PE File)
MD5: ee9c5c7aba58d3f70e52dad1eaf14b61
SHA1: a188bf4f4b4c3727163726cd5d9295fd56769766
Conclusion
Cyber criminals increasingly use social engineering techniques like those in these phishing emails to trick victims into infecting themselves with malware. They piggyback on the “tried and true” techniques that have been used by “confidence men” since the dawn of time. Those techniques take advantage of elementary emotions like greed, curiosity, and in these cases, the very valid fear of COVID-19. Fear can make anyone impulsive, but in these times it’s more important than ever to combat the misinformation that might pollute your inbox with facts.
Trustwave Secure Email Gateway (SEG) can detect and block the email scams that are mentioned in this blog.