Microsoft’s security experts have warned on Monday about several email malware delivery campaigns exploiting the COVID-19 pandemic targeting companies in the US and South Korea.
What they have in common is the ultimate delivery of the Remcos RAT (remote administration tool/Trojan), a piece of malware that allows hackers to have full control over the infected system, and the fact that the attached files have some atypical extensions.
In one campaign the attackers are impersonating the US Small Business Administration (SBA) and attempt to deliver a malicious IMG (disk image) attachment.
“The IMG file contains an executable file that uses a misleading PDF icon. When run, the executable file drops Remcos, which allows attackers to take control of affected machines,” the researchers noted.
In another one the attackers are impersonating CDC’s Health Alert Network (HAN) and carry malicious ISO (disk image) file attachments. In a third one they pose as the American Institute of Certified Public Accountants and deliver a ZIP archive containing the ISO file (carrying a malicious SCR file with a misleading PDF icon).
IBM X-Force researchers have also recently warned about a variety of fake US SBA emails carrying malicious IMG (disk image) and Universal Disk Format (UDF) image files leading to the Remcos RAT.
The US SBA is a good choice for malware peddlers to impersonate at this time.
“On March 27, 2020, $376 billion in relief payments for workers and small businesses was allocated via the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The US SBA and the Department of Treasury are the designated outlets for providing information and guidance on the implementation of the CARES programs, but with people looking out for their applications, these fake emails are evidence of malicious actors already exploiting reliance on digital updates, which many are expecting as they plan to receive the allocated federal aid,” IBM X-Force researchers pointed out.
The aforementioned campaigns are obviously targeting businesses but, according to Kaspersky Lab researchers, Remcos RAT and other malware peddlers have not forgotten about consumers.
To make it more likely the recipients will download and open a malicious attachment, they are impersonating package delivery services and saying that the recipient must read or confirm the information in an attached file in order to receive a package that’s come in.
Again, the malicious attachments come with some unusual file extensions such as ACE (archive file) and the more familiar RAR and ZIP (also archive files).
The device people use to communicate online – a smartphone, desktop, or tablet – can affect the extent to which they are willing to overshare intimate or personal information about themselves, according to the researchers from University of Pennsylvania.
Can you trust attachments? Be careful
Malware peddlers will try every emails and attachment combination and permutation they can think of to get past email security filters and get users to open those files.
Needless to say, everybody should always be wary of opening attachments and links in unsolicited emails – whether they have a familiar file extension or not.
If you really can’t resist the temptation or you aren’t sure about your ability to spot fake, malicious emails, you can always test the attached file before opening it. The VirusTotal analyzer is a popular, easy to use, and the most thorough option for checking files for malware, but there are others as well.
“Elite” hackers have tried – and failed – to breach computer systems and networks of the World Health Organization (WHO) earlier this month, Reuters reported on Monday.
In fact, since the start of the COVID-19 pandemic, the WHO has been fielding an increasing number of cyberattacks, as well as impersonation attempts.
About the attack
The attackers created a malicious site mimicking the WHO’s internal email system in an attempt to phish the agency staffers’ email credentials.
What the attackers were after and who they were is not known, although some sources suspect them to be the Darkhotel espionage crew, which has been active for nearly over decade and whose targets are usually high-profile individuals: executives in various sectors, including defense and energy, and government employees. (The sources did not say why they are inclined to point the finger at the Darkhotel threat actors.)
Costin Raiu, head of global research and analysis at Kaspersky, said that the malicious web infrastructure used in this attack had also been used to target other healthcare and humanitarian organizations in recent weeks.
Coronavirus researchers are being targeted
The Canadian Centre for Cyber Security has also been warning Canadian health organizations about cyber criminals and spies.
“[Sophisticated threat actors] may attempt to gain intelligence on COVID-19 response efforts and potential political responses to the crisis or to steal ongoing key research towards a vaccine or other medical remedies, or other topics of interest to the threat actor,” the federal agency noted.
“Cyber criminals may take advantage of the COVID-19 pandemic, using the increased pressure being placed on Canadian health organizations to extract ransom payments or mask other compromises.”
The agency advised healthcare organizations to be on the lookout for social engineering and spear-phishing attempts and that attackers could exploit critical vulnerabilities and/or compromised credentials.
They also urged all organizations to “become familiar with and practice their business continuity plans, including restoring files from back-ups and moving key business elements to a back-up infrastructure,” and have provided a list of critical vulnerabilities that should be patched and/or mitigated as soon as possible.
Healthcare organizations previously hit
Cybercriminals wielding ransomware have already hit some healthcare organizations involved in the fight against the COVID-19 virus.
While the latter managed to repel the attack and did not suffer downtime, the attackers published some of the medical data they stole. They later removed the leaked files.
Cyber criminals have been trying out a new approach for delivering malware: fake alerts about outdated security certificates, complete with an “Install (Recommended)” button pointing to the malware.
The malware peddlers behind this scheme are obviously counting on users not knowing exactly what a security certificate is and that they are not responsible for keeping it updated, as well as exploiting users’ desire to keep themselves safe online.
The malicious alerts have been spotted on a number of compromised and variously themed websites, and the earliest infections found date back to January 16, 2020, Kaspersky Lab researchers have shared.
The spoofed notifications are delivered in an overlaid iframe that loads the content from a third-party source. The fact that the browser’s address bar shows the compromised site’s URL even while showing the fake alert makes the warning seem legitimate.
Users who fall for the trick and click on the “Install (Recommended)” button are served with malware. In past attacks this was either the Buerak downloader Trojan or the Mokes backdoor, but any type of malware can be delivered in future campaigns.
A new twist on an old trick
Malware peddlers have been using fake alerts urging users to download a new version of specific, widely used software (e.g., Adobe Flash Player, Google Chrome) for years, but alerts about outdated security certificates are just a new twist on a very old trick.
Kaspersky’s warning also comes at a moment when users’ chance to see security-certificate-related alerts is higher than usual, as the Let’s Encrypt certificate authority started revoking millions of TLS/SSL certificates on Wednesday.