Threat Actors: exploiting the pandemic

Last Update: Marc 19th, 2020 at 11:26 UTC

Overview

Threat actors attempting to capitalize on current events, pandemics and global anxiety is nothing new, as was previously seen with malicious campaigns related to the 2019 climate strikes and demonstrations as well as the 2018 FIFA World Cup tournament.

By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.

Although we observe threat actors shifting tactics, we don’t necessarily observe an uptick in attacks going on. Primarily, we observe existing threat actors leverage the COVID-19 outbreak in their campaigns, e.g. by naming their spam documents with a variety of Corona virus themed lures or by registering new domains were the URLs contain COVID-19 specific words. Additionally, the branding of trusted organizations (for example the World Health Organization (WHO)) is abused in order to build credibility and trust in order to have people, for example, open malicious attachments or web pages.

With regards to malware distribution, NCC Group/Fox-IT – as well as the threat intelligence community in general – observed and disclosed a wide variety of campaigns that leveraged Coronavirus-themed lures to disseminate a variety of malware strains. Notable examples include (banking) trojans (TheTrick, Gozi-ISFB, Emotet, Grandeiro), information stealers (LokiBot, Formbook, AZORult, HawkEye), loaders (GetandGoDLL) and commodity RATs such as NanoCore RAT and njRAT.

Below we have compiled additional quick insights across a broad spectrum on what is happening at a high-level in the context of the growing pandemic of COVID-19:

  • Governments and criminals using Corona/Covid-19 as a lure in social engineering to get people to do what they want (e.g. phishing) which Dominic Beecher covered this week.
  • Governments gaining intelligence on Covid-19 infection/recovery rates from government departments through all sources including cyber offense (we have seen foreign health ministries targeted this week by suspected Chinese actors).
  • Governments and others pro-actively spreading false information for ‘fun’ or more deliberately orchestrated campaigns to seed fear, uncertainty and doubt as reported by Reuters yesterday.
  • Governments and criminals gaining a strategic foothold whilst capacity/focus of cyber defense functions are reduced, for example through rapidly deployed and therefore not as secure as the should be remote access tooling.
  • Another important – and often overlooked – consideration for organisations around the world is how they will continue to function as COVID-19 continues to impact the traditional way of working. People are either forced to work remote or are not able to work at all. Adding to that risk, people stuck at home looking for entertainment, distraction or work-related software might start downloading software, software cracks and games from peer-to-peer file sharing networks or social media platforms. Pirated software, software cracks and games are generally always bundled with some kind of malware.
  • Financial malware gangs involved in transactional fraud start to increasingly focus on countries that imposed a national quarantine. TheTrick/Trickbot normally targets a wide variety of financial institutions worldwide, however, recently the operators removed the vast majority of targets from the configuration file and as of this week solely added Italian banks to the target list. Furthermore, we observed new C&C activity from a Gozi ISFB botnet that was inactive for a while and which contains webinjects for Italian financial targets.
  • On a more positive note, several crime gangs involved in targeted ransomware activity against corporate networks have indicated to no longer target health and medical organizations during COVID-19 pandemic, as reported by BleepingComputer.

Samples

Here are the samples NCC Group/Fox-IT have identified long with suspected attribution.

Suspected APT36

b0ad4f3310261549c5a6cc13aadd8d7525c3cec9ef944c2b8762992360643b87

Suspected APT41

1527f7b9bdea7752f72ffcd8b0a97e9f05092fed2cb9909a463e5775e12bd2d6 which

side loads 28117939b8dfa14b2f58aebbc2902b57006dbf32561877526ef2ce518fb50306 using confax.exe which is signed by Logitech
APT41
Attribution based on the infection chain and attribution reported this open source reporting –

Unknown

b3de75b1c1c273185dfc5f650556fb40b5b5d3be545d38cdb46585f93ee5c72e