SpiderLabs Blog

COVID-19 Malspam Activity Ramps Up | Trustwave

Written by Joshua Deacon, Homer Pacag, Rodel Mendrez, Phil Hay | Mar 31, 2020 5:00:00 AM

Back in February, we reported on two Coronavirus-themed phishing emails. But just as the real virus spreads rapidly around the world, so too have the scams. Cyber criminals, proving beyond doubt they are completely devoid of morals, have ramped up their activities, unashamedly using all manner of Coronavirus lures to trick people. We are now seeing dozens of different email campaigns per day. Below are samples collected from our systems that some of what is currently out there.

Sample 1: Coronavirus: Informazioni important su precauzioni

This email is in Italian, directed at a country worst hit by the virus to date.

The Google translation is roughly as follows:

Important information on precautions

Dear Sir / Madam, Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!

Best regards

The attachment is a DOCX Word document “f21203392637.doc” which contains a macro, which when executed leads to malware being dropped onto the system, firstly C:\MyImages\presskey.cmd, which is a simple loader for C:\MyImages\presskey.jse. This malware is known as OSTAP and functions to download the notorious Trickbot, a modular information stealer.

IOCs

File:        f21203392637.doc
MD5:     27364e982d6e312cabc4761146c6232a   
SHA1:    9569fd971a91da00697df887d1b5ca2054c9f7bc

File:        presskey.jse
MD5:     c2b60205f820384deb77b031cbd9bbc3
SHA1:    63e853ed3a6332cbbb2e105d23e3b6be2452de1d

File:        presskey.cmd
MD5:     7d71ae4c172bf8b3066c695d933293de
SHA1:    04f1cfcd27dfbce7e0ba60c10099e1d6fb4c88e7

 

Sample 2: W.H.O. CORONAVIRUS SAFETY & PREVENTIVE MEASURES

This email, purporting to be from the World Health Organization, urges users to check the attachment for “health and preparedness steps”. The attachment is a RAR archive, containing an executable which is Hawkeye, a keylogger and information stealer.

IOCs

File:        WORLD HEALTH ORGANIZATION_PDF.gz (RAR Archive)
MD5:     78faa018586fdf4687514b612948d5a2
SHA1:    506c5f70924d1e4402b520efe47fcea26b8b6c59

File:        WORLD HEALTH ORGANIZATION_PDF.exe
MD5:     34605433544389bfeaf0e04aa02d9bd8
SHA1:    417553ee661efb459276135ba8be80dbbbed2466

Sample 3: Coronavirus disease (COVID-19) outbreak prevention and cure update.

Another sample purporting to be from the WHO, which states it has information on “common drugs to take for prevention and fast cure”. Of course, there are attachments to view, both of which are archives, a RAR and a ZIP, and both contain an executable, which is also Hawkeye.

IOCs

FILE:       Coronavirus Disease (COVID-19) CURE.zip            
MD5:     534c585c20e1b23184f2130375ce500a   
SHA1:    e0c77de771522382d7bfb14eef76c948156a86c2

FILE:       Coronavirus Disease (COVID-19) CURE.rar            
MD5:     c00499a62e7b03f7ea5ce269351bbe40   
SHA1:    8bf18554535e013ed27c1eb4f695a37ecb50524f

FILE:       Coronavirus Disease (COVID-19) CURE.exe          
MD5:     8983fb4725e345acb1f8daf425a7abe7
SHA1:    129ee2d1d260ea67b4f820e126329004088bb3a8

Sample 4: Supplier-Face Mask

This email claims to be from a manufacturer of face masks that has “started mass production’, and that “demand exceeds supply”. The attachment “Face Mask Quote” contains an executable which is none other than Agent Tesla, a common and readily available keylogging and info-stealing RAT.

Agent Tesla likes to harvest credentials from browsers and other applications and exfiltrate that data via SMTP. To give you an idea of the kind of data that is captured, see the screenshot below:

IOCs

File:        Face Mask Quote.zip
MD5:     2fe1dc441bb92eb91abe0c6b6e94b1c9
SHA1:    58e8a9cc00d76802e02a7fac207d894d62d5e818

File:        Face Mask Quote.exe
MD5:     c5f220a7ac314a7570d827d4b72a1bfb
SHA1:    9649f2902f36e2708f4870bf4aa84c1b75e19aad

Sample 5: WHO Donate Now

Unlike the others, this email does not contain malware. Again it purports to be from the WHO, and merely asks you for bitcoins to support the cause. At the time of writing, this bitcoin wallet did not have any transactions against it, so hopefully, the campaign was a FAIL for the bad guys.

Sample 6: Covid -19 Temporary Suspension of Activities

This email, interestingly from ‘thewho.com’ is badly written and claims:

“Here enclosed official statement on the current situations Globally. See attached upon reviews and Temporary suspension of activities.”

The email has an HTML attachment (as opposed to the HTML message body) WHO-COVID-19 Updates.pdf.HTM which contains php code that retrieves HTML content and crudely attempts to harvest email address and password credentials – in a completely untargeted way.

IOCs

FILE:       WHO-COVID-19 Updates .pdf.HTM         
MD5:     6b919c935b78a946608fe03576a67abf   
SHA1:    739f0cb4308fb9b2a03e19338f32b9cb506489e7

Sample 7: Transfer Copy

This email claims to be from a supplier in China that, due to Coronavirus, has had delays in releasing payments. The attachment ‘Trnasfer_copy.pdf.z’ is a RAR archive that contains an executable, that is Agent Tesla.

IOCs

File:        Trnasfer_copy.pdf.z  (RAR archive)
MD5:     861a3c1efda0a3ae06a9f1fe5dec40ff      
SHA1:    da32b1b853dcde26d3eb18d7e96505bfe9a7f9eb

File:        Trnasfer_copy.bat (PE File)
MD5:     ee9c5c7aba58d3f70e52dad1eaf14b61   
SHA1:    a188bf4f4b4c3727163726cd5d9295fd56769766

Conclusion

Cyber criminals increasingly use social engineering techniques like those in these phishing emails to trick victims into infecting themselves with malware. They piggyback on the “tried and true” techniques that have been used by “confidence men” since the dawn of time. Those techniques take advantage of elementary emotions like greed, curiosity, and in these cases, the very valid fear of COVID-19. Fear can make anyone impulsive, but in these times it’s more important than ever to combat the misinformation that might pollute your inbox with facts.

Trustwave Secure Email Gateway (SEG) can detect and block the email scams that are mentioned in this blog.