Singapore-based cybersecurity company Group-IB’s Computer Emergency Response Team (CERT-GIB) analyzed hundreds of Coronavirus-related phishing emails between February 13 and April 1, 2020. Researchers found that spyware was the most common malware class (65%) hiding in fraudulent COVID-19 emails, with AgentTesla topping the list of phishers’ favorite strains.
Spyware: The Most likely COVID-19 Phishing Campaign Payload
CERT-GIB’s report is based on the Threat Detection System (TDS) Polygon, which analyzes Coronavirus-related phishing traffic to detect both known and unknown threats in isolated environments. Most COVID-19-related phishing emails had different spyware strains embedded as attachments. However, AgentTesla (45%), NetWire (30%), and LokiBot (8%) were the most actively exploited malware families. With some minor differences, all these malware samples are designed to collect personal and financial data. They are highly efficient in mining user credentials from browsers, exfiltrating mail clients and file transfer protocol (FTP) clients, capturing screenshots, and in secretly tracking user behavior, which is further sent to the operators’ command and control (C&C) server(s).
- Most of the emails detected were written in the English language. Those behind such COVID-related campaigns target government organizations and private companies.
- The emails were masked as advisories, purchase orders, face mask offers, and alerts or safety recommendations from world bodies such as the World Health Organization (WHO), UNICEF, and other international companies such as Maersk, Pekos Valves, and CISCO.
Important: Please take note that these world bodies and international organizations are in no way involved in these fraudulent activities and/or scams.
Fig. 1. Example of a malicious email disguised as “UNICEF COVID-19 TIPS APP” with spyware in the attachment.
Fig. 2. Example of a phishing email disguised as an offer of free masks.
- Following file extensions have been used to deliver malware samples: .gz, .ace, .arj,and .rar, which are mainly archive file formats.
To trick antivirus software installed on the victim’s system, threat actors now include the passwords for accessing the content in the email subject line, in the archive name, or in a subsequent correspondence email sent to the victim. Thus, unless behavioral analytics is employed, such malware are likely to go undetected.
A single employee who opens a malicious file from an undetected phishing email could jeopardize the whole company’s operations.
– Head of CERT-GIB
Aleksandr Kalinin, Head of CERT-GIB says, “People should remain particularly vigilant now that most people are working from home due to the pandemic. We predict an increase in the number of cyberattacks on unprotected home networks used by employees who have switched to remote work. Corporate security teams should reassess their approach to securing corporate digital space by strengthening their perimeter, which now includes employees’ home devices. A single employee who opens a malicious file from an undetected phishing email could jeopardize the whole company’s operations.”
What Needs to be Done?
- All remote employees’ email accounts and VPNs used to access corporate networks should be protected with two-factor / multi-factor authentication.
- Implement network protection solutions to analyze incoming and outgoing e-mails traffic.
- Employ network segmentation and role-based access (RBAC) rights to all employees.
- Remote user activity should also be covered under the organization’s security perimeter and hence endpoint security tools need to be implemented.