Again in February, we reported on two Coronavirus-themed phishing emails. However simply as the true virus spreads quickly all over the world, so too have the scams. Cyber criminals, proving past doubt they’re utterly devoid of morals, have ramped up their actions, unashamedly utilizing all method of Coronavirus lures to trick folks. We at the moment are seeing dozens of various e mail campaigns per day. Under are samples collected from our methods that some of what’s at the moment on the market.

Pattern 1: Coronavirus: Informazioni vital su precauzioni

This e mail is in Italian, directed at a rustic worst hit by the virus up to now.

COVID-19 Ramps of Malspam Activity

The Google translation is roughly as follows:

Vital data on precautions

Pricey Sir / Madam, As a consequence of the truth that instances of coronavirus an infection are documented in your space, the World Well being Group has ready a doc that features all vital precautions towards coronavirus an infection. We strongly advocate that you simply learn the doc connected to this message!

Greatest regards

COVID-19 Ramps of Malspam Activity

The attachment is a DOCX Phrase doc “f21203392637.doc” which comprises a macro, which when executed results in malware being dropped onto the system, firstly C:MyImagespresskey.cmd, which is a straightforward loader for C:MyImagespresskey.jse. This malware is called OSTAP and features to obtain the infamous Trickbot, a modular data stealer.

IOCs

File:        f21203392637.doc
MD5:     27364e982d6e312cabc4761146c6232a
SHA1:    9569fd971a91da00697df887d1b5ca2054c9f7bc

File:        presskey.jse
MD5:     c2b60205f820384deb77b031cbd9bbc3
SHA1:    63e853ed3a6332cbbb2e105d23e3b6be2452de1d

File:        presskey.cmd
MD5:     7d71ae4c172bf8b3066c695d933293de
SHA1:    04f1cfcd27dfbce7e0ba60c10099e1d6fb4c88e7

Pattern 2: W.H.O. CORONAVIRUS SAFETY & PREVENTIVE MEASURES

This e mail, purporting to be from the World Well being Group, urges customers to test the attachment for “well being and preparedness steps”. The attachment is a RAR archive, containing an executable which is Hawkeye, a keylogger and data stealer.

COVID-19 Ramps of Malspam Activity

IOCs

File:        WORLD HEALTH ORGANIZATION_PDF.gz (RAR Archive)
MD5:     78faa018586fdf4687514b612948d5a2
SHA1:    506c5f70924d1e4402b520efe47fcea26b8b6c59

File:        WORLD HEALTH ORGANIZATION_PDF.exe
MD5:     34605433544389bfeaf0e04aa02d9bd8
SHA1:    417553ee661efb459276135ba8be80dbbbed2466

Pattern 3: Coronavirus illness (COVID-19) outbreak prevention and remedy replace.

One other pattern purporting to be from the WHO, which states it has data on “widespread medicine to take for prevention and quick remedy”. In fact, there are attachments to view, each of that are archives, a RAR and a ZIP, and each include an executable, which can also be Hawkeye.

COVID-19 Ramps of Malspam Activity

IOCs

FILE:       Coronavirus Illness (COVID-19) CURE.zip
MD5:     534c585c20e1b23184f2130375ce500a
SHA1:    e0c77de771522382d7bfb14eef76c948156a86c2

FILE:       Coronavirus Illness (COVID-19) CURE.rar
MD5:     c00499a62e7b03f7ea5ce269351bbe40
SHA1:    8bf18554535e013ed27c1eb4f695a37ecb50524f

FILE:       Coronavirus Illness (COVID-19) CURE.exe
MD5:     8983fb4725e345acb1f8daf425a7abe7
SHA1:    129ee2d1d260ea67b4f820e126329004088bb3a8

Pattern 4: Provider-Face Masks

This e mail claims to be from a producer of face masks that has “began mass manufacturing’, and that “demand exceeds provide”. The attachment “Face Masks Quote” comprises an executable which is none aside from Agent Tesla, a standard and available keylogging and info-stealing RAT.

COVID-19 Ramps of Malspam Activity

Agent Tesla likes to reap credentials from browsers and different functions and exfiltrate that knowledge through SMTP.  To offer you an concept of the sort of knowledge that’s captured, see the screenshot under:

COVID-19 Ramps of Malspam Activity

IOCs

File:        Face Masks Quote.zip
MD5:     2fe1dc441bb92eb91abe0c6b6e94b1c9
SHA1:    58e8a9cc00d76802e02a7fac207d894d62d5e818

File:        Face Masks Quote.exe
MD5:     c5f220a7ac314a7570d827d4b72a1bfb
SHA1:    9649f2902f36e2708f4870bf4aa84c1b75e19aad

Pattern 5: WHO Donate Now

In contrast to the others, this e mail doesn’t include malware. Once more it purports to be from the WHO, and merely asks you for bitcoins to assist the trigger. On the time of writing, this bitcoin pockets didn’t have any transactions towards it, so hopefully, the marketing campaign was a FAIL for the unhealthy guys.

COVID-19 Ramps of Malspam Activity

Pattern 6: Covid -19 Non permanent Suspension of Actions

This e mail, apparently from ‘thewho.com’ is badly written and claims:

“Right here enclosed official assertion on the present conditions Globally. See connected upon critiques and Non permanent suspension of actions.”

COVID-19 Ramps of Malspam Activity

The e-mail has an HTML attachment (versus the HTML message physique) WHO-COVID-19 Updates.pdf.HTM which comprises php code that retrieves HTML content material and crudely makes an attempt to reap e mail tackle and password credentials – in a totally untargeted method.

COVID-19 Ramps of Malspam Activity

IOCs

FILE:       WHO-COVID-19 Updates .pdf.HTM
MD5:     6b919c935b78a946608fe03576a67abf
SHA1:    739f0cb4308fb9b2a03e19338f32b9cb506489e7

Pattern 7: Switch Copy

This e mail claims to be from a provider in China that, on account of Coronavirus, has had delays in releasing funds. The attachment ‘Trnasfer_copy.pdf.z’ is a RAR archive that comprises an executable, that’s Agent Tesla.

COVID-19 Ramps of Malspam Activity

IOCs

File:        Trnasfer_copy.pdf.z  (RAR archive)
MD5:     861a3c1efda0a3ae06a9f1fe5dec40ff
SHA1:    da32b1b853dcde26d3eb18d7e96505bfe9a7f9eb

File:        Trnasfer_copy.bat (PE File)
MD5:     ee9c5c7aba58d3f70e52dad1eaf14b61
SHA1:    a188bf4f4b4c3727163726cd5d9295fd56769766

Conclusion

Cyber criminals more and more use social engineering methods like these in these phishing emails to trick victims into infecting themselves with malware. They piggyback on the “tried and true” methods which have been utilized by “confidence males” because the daybreak of time. These methods reap the benefits of elementary feelings like greed, curiosity, and in these instances, the very legitimate worry of COVID-19. Worry could make anybody impulsive, however in these occasions it’s extra vital than ever to fight the misinformation that may pollute your inbox with information.

Trustwave Safe E-mail Gateway (SEG) can detect and block the e-mail scams which can be talked about on this weblog.