Attackers Taking Advantage of the COVID-19
Val Saengphaibul and Fred Gutierrez, Threat Analysts at FortiGuard Labs, a part of Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated, and automated cybersecurity solutions has recently issued a special Threat Analysis Report. For the first quarter of 2020, coverage on the Coronavirus/COVID-19 outbreak has dominated the 24-hour global news cycle. Government leaders, scientists, and health professionals worldwide suggest that this is not merely an epidemic, but a potential pandemic crisis. As individuals worldwide fixate on this global health emergency, combining legitimate sources and news feeds with rampant rumors and amateur reports on social media, bad actors know that events like this are the perfect opportunity for exploitation.
And the easiest and fastest way to exploit a target, whether an individual or an organization, is through social engineering attacks. These attack vectors are the fastest to spin up, and have the highest rate of return. This is especially true as drive-by downloads become less common due to security vendors improving response times and security posture by the timely patching of vulnerabilities. And social engineering attacks are especially attractive because, regardless of whatever technological security measures in place, the human psyche is the weakest link in any security systems as it is the easiest to exploit.
Coronavirus-related Threat Activity
Over the past several weeks, FortiGuard Labs has been observing a significant increase in both legitimate and malicious activity surrounding the Coronavirus. We’ve seen benign emails containing documents with guidance from HR departments, to emails from distribution companies selling masks, gloves, and other protective equipment that at first appeared to contain suspicious links, but in fact have been benign as well.
And we and other threat researchers have documented malicious attacks leveraging the Coronavirus outbreak theme. Threat findings via OSINT channels have yielded multiple themes, such as those appearing to be reports from trusted sources, such as governmental agencies, news outlets, etc. but that were actually malicious. It is also important to note that we are likely only scratching the surface on observable attacks as this is a global outbreak, and most of our observations have been in English or languages utilizing ASCII (ISO-8859) characters.
The issue has now become so problematic that the World Health Organization (WHO) recently issued a statement on their website titled, Beware of criminals pretending to be WHO. The UN also recently added an advisory on the 29th of February as well reminding citizens to be vigilant of such scams.
First Wave of Attacks
As the news cycle continues to accelerate, there have been reports of ranging from phishing and SMS phishing attacks to a host of others too many to list in this blog. For the purpose of this blog, we are going to stick to the more well-known actors and their campaigns to highlight that even the professionals are getting in on the frenzy.
First reported at the end of January by various security vendors, Emotet was one of the first campaigns to have leveraged the Coronavirus scare to spread itself further. Other recent attacks discovered by security researcher @issuemakerslab include a malicious Word doc written in Korean by the threat actors behind BABYSHARK, (North Korea):
Another observation discovered by security researcher @RedDrip7 highlights an attack that uses social engineering techniques to masquerade as the Center for Public Health in Ukraine, along with impersonating the WHO trademark as a decoy to lure unsuspecting users into opening a malicious Word Doc file with a back door:
Attacks Targeting Italy
During the course of our investigations, we recently observed a Coronavirus-themed spear phishing attack targeting Italy. The email, written in Italian, tries to compel the reader into opening an attached document, which was observed to have several attachment names, but what all use the same nomenclature (f216785352XX.doc).
Name: f21678535239.doc
Size: 544266 bytes (531 KiB)
SHA256: 8EB57A3B520881B1F3FD0073491DA6C50B7284DD8E66099C172D80BA33A5032
Additional variant seen ITW:
Name: f21678535350.doc
Size: 544266 bytes (531 KiB)
SHA256: 3461B78384C000E3396589280A34D871C1DE3AE266334412202D4A6A85D02439
The letter suggests that Coronavirus cases in the reader’s region have been documented and that the reader should urgently open the attachment for further guidance. The contents of the Word document try to compel the user into enabling macros with an official Office looking template that uses the familiar Microsoft Word trade dress color of blue:
Once the reader opens the attachment, the file then connects to the following URI(s):
45.128.134.14
insiderppe.cloudapp.net
After further analysis, given the nomenclature of the files, techniques, and network IOC’s used in this campaign, it appears highly likely that it is the work of the actors behind Trickbot.
Another Campaign Using a Trusted Trademark
Another campaign that leverages the trusted FedEx trademark as a decoy to gain the trust of recipient so they will open an included attachment. The attachment appears to be a PDF, but it has been compressed. However, when decompressed we learn that the file is not a PDF, but an executable:
Name: Customer Advisory.PDF.exe
Size: 838144 bytes (818 KiB)
SHA256: 906EFF4AC2F5244A59CC5E318469F2894F8CED406F1E0E48E964F90D1FF9FD88
Once the user runs the executable file, they are infected with the Lokibot infostealer that exfiltrates data to the following URI:
kbfvzoboss.bid/alien/fre.php
Mitigation
FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment.
In the meantime, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage their employees to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution.
Initial Access Mitigation: FortiMail or other secure mail gateway solutions can be used to block specific file types such as the ones outlined in this blog. FortiMail can also be configured to send attachments to our FortiSandbox solution (ATP), either on-premises or in the cloud, to determine if a file displays malicious behavior. FortiGate firewalls with anti-virus enabled alongside a valid subscription are also able detect and block this threat if configured to do so.
Execution: Since it has been reported that this threat has been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of the various types of attacks being delivered via social engineering. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by internal security departments within an organization. Simple user awareness training on how to spot emails with malicious attachments or links could stop initial access into the network.
Fortinet Solutions: If user awareness training fails and a user opens a malicious attachment or link, FortiClient running the latest this-to-date virus signatures will detect and block this file and associated files.