Sup y'all. I appologize if I'm breaking rules posting this, but I think it's super important that as many people see this information as possible.
CrowdStrike sends out a weekly report about threats they've detected/analyzed. There has been a ton of malware and websites circulating that are taking advantage of the COVID-19 pandemic. Some of the files attached in emails have names like "COVID-19 vaccine" or "COVID-19 treatment", etc. that would easily bait someone into opening them. Especially when the source is posing as the friggen World Health Organization.
Malware is malware and it'll never go away; it's one of the many hazards of being a live human. But man this is a new level of low. The fact that people would take advantage of the public's fear like this is disgusting.
Here's what was in the report:
Identified eCrime Campaigns Capitalizing on the COVID-19 Pandemic
eCrime actors continue to use social engineering techniques and malicious documents referring to the Coronavirus Disease 2019 (COVID-19). This week, CrowdStrike Intelligence observed the following notable threats using COVID-19 themes.
- On 20 March 2020, CrowdStrike Intelligence identified scam emails spoofing the World Health Organization (WHO) with requests for financial donations to the COVID-19 Solidarity Relief Fund (CSA-200379). The emails copy legitimate communications from the WHO regarding the fund, but lists an adversary-controlled Bitcoin (BTC) wallet address for payment.
- A malicious website (corona-virus-map[.]net) posing as a COVID-19 map was identified dropping SCULLY SPIDER’s DanaBot banking trojan (CSIT-19173). The webinject primarily targeted U.S.-based financial institutions (CSA-200382).
- On 23 March 2020, CrowdStrike Intelligence obtained a phishing message impersonating a U.S. government agency and using the subject line COVID-19 - nCoV - Special Update - WHO. The message contained an attachment named covid-19 - ncov - special update.doc. When opened, this file exploits a vulnerability in Microsoft Equation Editor, and subsequently issues a GET request to download a file located at http[:]//getegroup[.]com/file.exe. This led to a WarZone remote access tool (RAT) sample, with the SHA256 hash d340edceb10f4986da886264470c85e7e17dc74a76eb7d100c22b9527e32f1a3. This malware uses phantom101.duckdns[.]org for command and control (C2). WarZone is a commercially available RAT commonly used by cybercriminals.
- A HM Revenue and Customs (HRMC) phishing kit is being used to target UK-based victims with a lure referencing COVID-19 relief funds (CSA-200384). SMS messages contained an embedded URL directing the user to a phishing page impersonating the HMRC website. Analysis confirms the phishing kit is previously associated with HMRC tax refund scams.
- On 23 March 2020, public reporting attributed Netwalker ransomware (a.k.a. KazKavKovKiz, Mailto, Mailto2 and KoKo) to a campaign targeting Spain-based hospitals (CSA-200385). The adversaries reportedly used COVID-19 lures in the malspam emails, which were sent to “mainly workers and health agencies”.
- On 23 March 2020, a COVID-19 themed DNS hijacking campaign was identified which reportedly attempted to trick users into downloading Oski Stealer (CSIT-20035). By altering the DNS settings for D-Link and Linksys routers, users are directed to an actor-controlled site that claims the WHO has released a COVID-19 information application (CSA-200393).
- Compromised versions of an Android application called SM_Covid19 are being distributed to unsuspecting users (CSA-200399). The hijacked versions allow for the download and execution of additional malicious code on a user’s device. The app was developed by an Italy-based company to assist with applying social distancing protocols during the COVID-19 pandemic.
Many other commodity eCrime threats continue to use COVID-19 themes. The following table (Table 1) provides an overview of other significant criminal malware from the past week that referenced COVID-19 in malicious filenames.
MALWARE FAMILY FILENAME Agent Tesla ● Aviso geral de horĂ¡rio de trabalho no COVID-19.exe ● FYR_COVID-19.exe ● CORONA_TREATMENT.pdf.exe ● CORONA_TREATMENT.exeCORONA_TREATMENT.pdf.rar ● download-new vaccines-covid-19-report-safety1.xlxs.exe ● covid19-update.iso ● covid19 vaccines and drugs.exe ● [US-based company] customer letter COVID-19 update-23mar20.doc ● covid-19instruction.rar ● 2020-03-25 covid-19 client communication_vf.pdf.gz ● COVID-19 VACCINE.Xlxs.exe ● COVID-19 VACCINE.Xlxs.iso ● Vital Preventive drugs.exe ● Covid-19-UPDATE-9000986666.exe LokiBot ● Covid-19_update_pdf.exe ● COVID-19_UPDATE.jpg.lnk WarZone ● COVID-19 - nCoV - Special Update.doc FormBook ● covid-19.doc HawkEye Reborn ● Coronavirus Disease (COVID-19) CURE.zip ● covid 19 information.exe Remcos RAT ● CoronaVirusSafetyMeasures_pdf.exe Mirai ● covid.x86 NanoCore ● coronavirus info.exe Table 1. Significant Recent COVID-19 / Coronavirus-Themed eCrime Malware
Big Game Hunting Actors DOPPEL SPIDER and INDRIK SPIDER Remain Active
This week, CrowdStrike Intelligence has identified new DoppelPaymer campaigns from DOPPEL SPIDER, as well as new victim data entries on the actor’s leak site (CSA-200257). The criminal actor has deployed and seemingly successfully infected victims in multiple sectors; details of observed victims for March 2020 are provided in Table 2.
VICTIM SECTOR CURRENT RANSOM DEMAND U.S-based Aviation 205 BTC U.S.-based Legal 12 BTC U.S.-based Technology 54 BTC U.S.-based Retail 25 BTC UK-based Manufacturing 100 BTC U.S.-based Manufacturing 210 BTC France-based Academic 175 BTC China-based Manufacturing 165 BTC U.S.-based Tourism 110 BTC Table 2. DoppelPaymer Victims and Demanded Ransoms for March 2020
Additionally, CrowdStrike Intelligence has observed Dridex distribution campaigns from INDRIK SPIDER, with the criminal actor using shipping- and voicemail-themed lures (CSA-200403). These campaigns confirm that INDRIK SPIDER remains active and continues to distribute Dridex, likely as a precursor to BitPaymer operations.
RDP-Enabled Dharma/Phobos Ransomware Campaigns Continue; Common Dharma Samples Identified at Several Victims
The global COVID-19 pandemic has not affected the pace of Dharma and Phobos ransomware campaigns, which indiscriminately target victims worldwide. Adversaries continue to use brute force or password spraying against SMB/RDP to gain initial access. These actors deploy a variety of free tools to terminate security products, obtain credentials, and move laterally before deploying Dharma or Phobos. While the previously-reported utilities PowerTool, PCHunter, Process Hacker, and Defender Control remain in use, in one atypical incident, an actor wrote to disk-free uninstallers from two antivirus companies for their respective software. In the case of two victims, the actor used the command WEVTUTIL CL to clear a variety of Windows Event logs in an attempt to mask activity.
Notably, CrowdStrike Falcon OverWatch identified two identical Dharma samples across several different victims. These victims spanned the technology, non-profit, and government sectors in North America and the Middle East. Following are SHA256 hashes of these Dharma samples: * e876a27c5d3c0a66c22e411a7917525c00742ac0cbcad712d3bade4903d21fb7 * a2d345db330f4d7b4278f3b83ef180581ae422b868b21d8249836f6b99606080
Although not common, Dharma samples are periodically reused across multiple victims. Consequently, it is probable all incidents share a common Dharma vendor or source, although not necessarily a common operator.
Edit: formatting.
No comments:
Post a Comment