This post is also available in: 日本語 (Japanese)
When people ask me what Unit 42 does, the most concise answer I can normally give is “we research bad guys doing bad things.” With the onset of the COVID-19 pandemic spreading around the world, many of us have had to adapt our lives to accommodate the new reality. Bad guys are no different. They’ve also adapted and are taking advantage of this pandemic to launch cyber attacks.
The biggest opportunity for cyber attackers with this outbreak has nothing to do with technology, but with how humans change their behavior and patterns in response to the crisis.
The purpose of this report is not to contribute to the fear and anxiety many of us are already experiencing, but to help you be informed about what is happening and how to protect yourself and your organization. We will update this blog as new information comes to light.
Phishing/Malware Distribution using COVID-19 Themes
As with other high-profile events, attackers are taking advantage of the high amount of attention paid to COVID-19 to lure victims into opening attachments on malicious emails and click on phishing links. This is not a single attack or event campaign, but a widespread use of virus related themes. We’ve identified malicious emails using subjects containing COVID-19 and related keywords carrying Remote Administration Tools (RATs) like NetWire, NanoCore, and LokiBot.
Example email subjects include:
- CORONAVIRUS (COVID-19) UPDATE // BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MARCH 2020.
- Latest corona-virus updates
- UNICEF COVID-19 TIPS APP
- POEA HEALTH ADVISORY re-2020 Novel Corona Virus.
- WARNING! CORONA VIRUS
Example file attachment names include:
- AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe
- Coronavirus COVID-19 upadte.xlsx
- CORONA VIRUS1.uue
- CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm
Neither of these lists is exhaustive and new variants on these themes will quickly emerge.
We’ve also identified malicious emails using subjects containing COVID-19 and related keywords to deliver ransomware (e.g. EDA2) and info stealer malware (e.g. AgentTesla) in attacks across various industries. Target industries include, but are not limited to, government healthcare organization, medical research universities, industrial manufacturing firms, and research institutes.
Example email subject lines include:
- Coronavirus disease
Example file attachment names include:
- COVID-19 Supplier Notice/COVID-19 Supplier Notice.jpg.exe
- Corporate advisory CoronaVirus (Covid-19)/Corporate advisory Co
Expect these attacks to continue in the coming weeks and months. As the news evolves, the attackers will adapt. We simultaneously see the same attacks using common themes related to tax filing, invoices, and shipping orders.
As people seek out information about COVID-19, how it is impacting them, and how they can stay safe, many are looking to their smartphone for help. There have already been multiple cases reported of malicious Android applications that claim to offer information about the virus. These allow the attacker to spy on you through your devices, or encrypt your device and hold it for ransom.
As always, Android users should not install applications from untrusted sources (stick to the Google Play store) and iPhone users should not jailbreak their phones and install apps from third-party sources (stick to the App Store).
COVID-19 Themed Domain Names
In the past few weeks, thousands (in fact over 100,000) of domains have been registered containing terms like “covid,” “virus”, and “corona.”
We’ve identified 116,357 newly registered domains with coronavirus-related names between January 1 and March 31. Out of these, 2,022 are classified as “malicious” and more than 40,000 are considered “high-risk”. Additionally, from February 1 to March 31, we witnessed a 569% growth in malicious domain registrations, preying on consumers with some of the following tactics:
- Fake webshops: Scam websites that offered high-demand items like face masks or hand sanitizers for a discounted price.
- Credit card skimmers: Scripts on other malicious stores that sell pandemic-relevant goods to steal credit card information.
- Fake ebooks: Domains set up to prey into consumer fear and coerce them into buying COVID-19 ebooks by playing a video about the scariest situations and events related to the pandemic.
- Illicit pharmacies: Unlicensed and leverage compromised websites that use domain names suggesting they sell remedies for COVID-19 when they actually advertise Viagra and other drugs unrelated to the virus.
Not all newly registered coronavirus-related domains will be malicious, but all of them should be treated as suspect. Whether they claim to have information, a testing kit, or a cure, the fact that the website didn’t exist until the pandemic became news should make you very skeptical of their validity.
Between March 24, 2020 at 18:25 UTC and March 26 at 11:54 UTC, Unit 42 observed several malicious emails sent from the spoofed address noreply@who[.]int (actual sender IP address at the time of the attack was 176.223.133[.]91) to several individuals associated with a Canadian government health organization actively engaged in COVID-19 response efforts, and a Canadian university conducting COVID-19 research. The emails all contained a malicious Rich Text Format (RTF) phishing lure with the file name 20200323-sitrep-63-covid-19.doc, (SHA256: 62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617). When opened with a vulnerable application, it attempts to deliver EDA2, an open-source ransomware variant associated with a larger, parent ransomware family called HiddenTear. This ransomware payload, when opened with a vulnerable application, attempts to deliver the ransomware payload using a known shared Microsoft component vulnerability, CVE-2012-0158.
Malspam actors are also taking advantage of the ongoing COVID-19 pandemic crisis, as we found malware droppers distributed to a number of our customers within the healthcare, pharmaceutical and government industries (among others). These phishing emails attempted to deliver variants of the AgentTesla malware family, which is an info-stealing malware that’s been around since 2014.
Attackers were also found hosting a RedLine Stealer sample at the URL covid-19-gov[.]com within a ZIP file. When the contents of the ZIP file are extracted, the RedLine Stealer binary was revealed to have the filename Covid-Locator.exe.
How We’re Protecting You
In general, the best practices we recommend are still the right way to keep your organization and your network protected from these threats. Our products and services are just as capable at preventing threats using COVID-19 related themes as they are for other messages that track users into clicking links and opening attachments. Consider taking the following actions to ensure you are taking advantage of our protection:
- Run a Best Practice Assessment to identify where your configuration could be altered to improve your security posture.
- Use PAN-DB URL Filtering to block the “Newly-Registered Domains”, which contains domains registered in the last 32 days. While these may not all be malicious, it could prevent your users from succumbing to scams.
This post was last updated on April 27 to reflect the latest campaigns and scams that Unit 42 researchers have detected and stopped. We will continue updating this blog as new information related to this threat comes to light.
To see how Palo Alto Networks can protect against threats during your remote operations, visit our Secure Remote Workforce page for resources and product solutions.