Business as usual: Criminal Activities in Times of a Global Pandemic

[harlan4096]

The beginning of 2020 has been appalling for most parts of the world being affected by Coronavirus disease 2019 (COVID-19). This brought about a change in the everyday life of every individual in every country striving to sustain their daily tasks while simultaneously preventing further infection. Given this situation, businesses and schools have opted to transition to a ‘virtual setting’ wherein a job can be done remotely and school discussion as well as office meetings can be held via conference calls using applications like Zoom, Skype or Microsoft Teams. There has been a surge in demand for platforms for video and audio conferencing, chat and webinar solutions.

This upheaval created opportunities for cybercriminals, as they exploit these situations in executing their malicious intents. This is not the first time that cybercriminals have taken advantage of the current and significant events to lure more victims, as there were instances from the past years that shows how they utilize these happenings to spread malware. An example of which was the 2018 FIFA World Cup wherein cybercriminals created a fake FIFA partner website to gain access to victim’s bank accounts and drop a malicious file into the victim’s machine.

COVID-19 Related Phishing Emails

With the rise in numbers of people infected by COVID-19 all over the world, cybercriminals work their way to increase the number of spam emails and phishing links related to COVID-19 proliferating in the cyberworld as well. They even made their cyberattacks more diverse in a way that they not only send spam emails with malicious attachments, but also created fake websites with fake COVID-19 related contents for victims to freely access like coronavirus-map[.]com(website is already unreachable at the time of writing). Some of these fake websites contain fake information regarding the current world statistics of COVID-19 cases.

These fake websites often contain malicious cryptomining related contents  known as cryptojacking which can harm the user’s system by utilizing the system’s resources to earn digital money such as Bitcoin for the malicious actor’s gain without the user’s consent.

While some cybercriminals choose to explore new ways with their approach in pursuing their cybercrimes, some opt to carry on with the old ways like spam emails but with improved contents to make their attacks more successful.

Like the spam emails from 2018 FIFA World Cup, cybercriminals use and abuse COVID-19 as the subject for the spam emails that they were sending out. It is noticeable on the following two sample emails below with different contents and language used.  It is one of the innovations that cybercriminals do to make their spam emails more tailored to their targets which increases the chance of a successful attack.

The first email is geared towards English-speaking individuals while the second email is aimed in targeting anyone who can understand Italian. At first look, it may seem that these two emails are different considering the language used, the subjects of the email, and the content of its message. But we can notice that both emails contain an attachment - List.arj (24 KB) and Newsletter della COVID-19 Organizzazione mondialle della sanita.zip(36 KB).

File attachments

The attachment to the first email is said to be a list of the victims of COVID-19. However, upon analyzing the file, it can be easily identified as an archive that contains an executable file – LIST.exe. This is a red flag already as a file that claims to be a text file, is an archive that contains an executable file. The attachment from the second email looks like a usual archive, but also contains an executable file.

Further analysis shows that the malicious executable files from the extracted archives are files associated with a well-known malware family called GuLoader, that has been existing since way before COVID19. GuLoader is a known malware that downloads its payload from cloud services such as Google Drive and Microsoft Drives. It is then used to download a remote access trojan (RAT), a malicious program that includes a backdoor for administrative control over the target computer. In this case, considering that the files we analyzed came from two different emails with two distinct targets, the attachment files were identical, which both end up downloading a Parallax RAT.

Parallax RAT is being considered as the “new RAT on the block” which had its first appearance in December 2019. It is a type of RAT that can work across all versions of Windows OS, capable of bypassing detections, stealing credentials, and executing remote commands like grabbing keystrokes and screenshots. This is a new RAT being offered as a MaaS (Malware-as-a-Service) and it has become a favorite amongst malware criminals as it is being sold in the black market for as low as $65 with a promise of 99% reliability for the service it provides.

While checking our telemetry statistics for the past 6 months with 58,524 malware samples, aside from Parallax, there are several other malware families that leverages COVID-19 related news to entice a large number of potential victims to open attachments from unknown source. These malware families, most of which are RATs like Remcos, Nanocore, Netwire, Agent Tesla and other trojans, ranging from least destructive to most destructive, are unceasingly being distributed through various means like spam emails or as a downloadable file from deceitful websites.

Typical malware during the pandemic

During the time of a global health crisis, RATs are the most commonly used tools found in malicious emails. Those RATs follow a distict pattern. We have taken a closer look at some of the proponents.

Remcos

Remcos was first seen in the wild at the 2[sup]nd[/sup] half of 2016 being promoted as a commercialized RAT at the price of $58 to $389. It was first used in spear phishing campaigns targeting Turkish organizations. Currently, it is being sold by a German company called ‘Breaking Security’[sup][[/sup][sup]2][/sup] and  their website advertised it as a legitimate powerful remote control and surveillance software that can be used to access computers anywhere around the world.

The current trend for Remcos malware campaigns involved malware authors leveraging new and trending news worldwide for its phishing emails. Those mails usually  have a pdf attachment. Once opened, this PDF contains a Remcos RAT dropper which runs a VB Script which in turn will execute the malware. To ensure persistence, a startup key is added to the registry.

Aliases:

• RemcosRAT
  
• Remvio
  

Other reference lines used in previous campaigns:

• "Re: nCoV: Coronavirus outbreak and safety measures in your city (Urgent)".
  
• Small Business Grant/Testing Centre Vouchers
  
• SBA Grant/Testing Centre Vouchers
  
• SBA Payroll Protection Program Status
  

AGENT TESLA

AgentTesla was first seen in 2014 and during the pandemic has been used in attacks that target energy companies. This may have been one of the effects of the pandemic where there is a low demand for oil. Before the pandemic, Agent Tesla the preferred toold for attacks against the oil industry.. Since Agent Tesla is also a commercial malware that can be bought on the Dark Web, it has a feature that allows you to monitor or customize the payload and monitor its targeted victims.

AgentTesla has been modified to be an advanced RAT that can also function as a keylogger and information stealer that can steal the victim’s Microsoft outlook credentials and other saved passwords in web browsers such as Google Chrome, Internet Explorer and Mozilla Firefox.

What sets AgentTesla apart from other RATs is its added feature of stealing Wifi profiles. Malware actors uses this functionality in using WiFi as a mechanism to spread infection across different endpoints as well as using it as a gateway for future attacks on the victim’s machine

Aliases:

• AgenTesla
  
• AgentTesla
  

Other Email Subjects Used by AgentTesla RAT when sending Phishing Emails:

• URGENT INFORMATION LETTER: FIRST HUMAN COVID-19 VACCINE TEST/RESULT
  
• UPDATE Covid19″ Latest Tips to stay Immune to Virus!!
  
• “World Health Organization/Let’s fight Corona Virus together”
  
• "Attention: List of Companies Affected With Coronavirus March 02, 2020".
  

...

Continue Reading