Again in February, we reported on two Coronavirus-themed phishing emails. However simply as the true virus spreads quickly all over the world, so too have the scams. Cyber criminals, proving past doubt they’re utterly devoid of morals, have ramped up their actions, unashamedly utilizing all method of Coronavirus lures to trick folks. We at the moment are seeing dozens of various e mail campaigns per day. Under are samples collected from our methods that some of what’s at the moment on the market.
Pattern 1: Coronavirus: Informazioni vital su precauzioni
This e mail is in Italian, directed at a rustic worst hit by the virus up to now.
The Google translation is roughly as follows:
Vital data on precautions
Pricey Sir / Madam, As a consequence of the truth that instances of coronavirus an infection are documented in your space, the World Well being Group has ready a doc that features all vital precautions towards coronavirus an infection. We strongly advocate that you simply learn the doc connected to this message!
The attachment is a DOCX Phrase doc “f21203392637.doc” which comprises a macro, which when executed results in malware being dropped onto the system, firstly C:MyImagespresskey.cmd, which is a straightforward loader for C:MyImagespresskey.jse. This malware is called OSTAP and features to obtain the infamous Trickbot, a modular data stealer.
Pattern 2: W.H.O. CORONAVIRUS SAFETY & PREVENTIVE MEASURES
This e mail, purporting to be from the World Well being Group, urges customers to test the attachment for “well being and preparedness steps”. The attachment is a RAR archive, containing an executable which is Hawkeye, a keylogger and data stealer.
File: WORLD HEALTH ORGANIZATION_PDF.gz (RAR Archive)
File: WORLD HEALTH ORGANIZATION_PDF.exe
Pattern 3: Coronavirus illness (COVID-19) outbreak prevention and remedy replace.
One other pattern purporting to be from the WHO, which states it has data on “widespread medicine to take for prevention and quick remedy”. In fact, there are attachments to view, each of that are archives, a RAR and a ZIP, and each include an executable, which can also be Hawkeye.
FILE: Coronavirus Illness (COVID-19) CURE.zip
FILE: Coronavirus Illness (COVID-19) CURE.rar
FILE: Coronavirus Illness (COVID-19) CURE.exe
Pattern 4: Provider-Face Masks
This e mail claims to be from a producer of face masks that has “began mass manufacturing’, and that “demand exceeds provide”. The attachment “Face Masks Quote” comprises an executable which is none aside from Agent Tesla, a standard and available keylogging and info-stealing RAT.
Agent Tesla likes to reap credentials from browsers and different functions and exfiltrate that knowledge through SMTP. To offer you an concept of the sort of knowledge that’s captured, see the screenshot under:
File: Face Masks Quote.zip
File: Face Masks Quote.exe
Pattern 5: WHO Donate Now
In contrast to the others, this e mail doesn’t include malware. Once more it purports to be from the WHO, and merely asks you for bitcoins to assist the trigger. On the time of writing, this bitcoin pockets didn’t have any transactions towards it, so hopefully, the marketing campaign was a FAIL for the unhealthy guys.
Pattern 6: Covid -19 Non permanent Suspension of Actions
This e mail, apparently from ‘thewho.com’ is badly written and claims:
“Right here enclosed official assertion on the present conditions Globally. See connected upon critiques and Non permanent suspension of actions.”
The e-mail has an HTML attachment (versus the HTML message physique) WHO-COVID-19 Updates.pdf.HTM which comprises php code that retrieves HTML content material and crudely makes an attempt to reap e mail tackle and password credentials – in a totally untargeted method.
FILE: WHO-COVID-19 Updates .pdf.HTM
Pattern 7: Switch Copy
This e mail claims to be from a provider in China that, on account of Coronavirus, has had delays in releasing funds. The attachment ‘Trnasfer_copy.pdf.z’ is a RAR archive that comprises an executable, that’s Agent Tesla.
File: Trnasfer_copy.pdf.z (RAR archive)
File: Trnasfer_copy.bat (PE File)
Cyber criminals more and more use social engineering methods like these in these phishing emails to trick victims into infecting themselves with malware. They piggyback on the “tried and true” methods which have been utilized by “confidence males” because the daybreak of time. These methods reap the benefits of elementary feelings like greed, curiosity, and in these instances, the very legitimate worry of COVID-19. Worry could make anybody impulsive, however in these occasions it’s extra vital than ever to fight the misinformation that may pollute your inbox with information.
Trustwave Safe E-mail Gateway (SEG) can detect and block the e-mail scams which can be talked about on this weblog.