Experts from Paloalto Unit 42 published a report that analyzes the cross-section between the various types of Coronavirus-themed attacks aimed at organizations in different industries.
Recently organizations in healthcare, research, and government facilities have been hit by Coronavirus-themed attacks that deployed multiple malware families, including ransomware and information stealers (i.e. AgentTesla).
PaloAlto researchers cited ransomware attacks against a Canadian government healthcare organization and a Canadian medical research university, both attempting to exploit the ongoing pandemic.
Experts also observed Coronavirus-themed attacks spreading the
The attacks against the Canadian healthcare organizations were discovered between March 24 and March 26, they started with
Attackers used a spoofed address mimicking the World Health Organization (noreply@who[.]int) to send out the phishing messages, the emails were sent to a number of individuals working at healthcare organization actively involved in Coronavirus response efforts.
“Between March 24, 2020 at 18:25 UTC and March 26 at 11:54 UTC, Unit 42 observed several malicious emails sent from the spoofed address noreply@who
The messages use a weaponized rich text format (RTF) attachment that exploits the CVE-2012-0158 buffer overflow in Microsoft’s ListView / TreeView ActiveX controls in MSCOMCTL.OCX library.
Experts noticed that the name of the file employed in this campaign references the date March 23, 2020, and it was not updated over the course of the campaign.
Once executed, the ransomware binary contacts the C2 server to download an image that serves as the main ransomware infection notification displayed the victim’s device, then it gathers the host details and transmits it to the C2 to create a custom key to encrypt the files on the system’s desktop with a “.locked20” extension.
“Once the remote command and control (C2) server successfully receives the victim’s details, it then proceeds to create a custom key based on the username/hostname details and sends the key back to the infected host for further processing.” continues the analysis. “Once the key is received from the C2 server, the infected host then initiates an HTTP POST request to the resource www.tempinfo.96[.]lt/wras/savekey.php containing its hostname and the main decryption key for the host, which is, in itself, AES encrypted:”
Palo Alto Networks researchers determine that ransomware strain was EDA2 based, open-source ransomware that was initially created for educational purposes.
“The objective of this blog was to give a deeper understanding on some of the types of cybercrime campaigns being faced by multiple critical industries dealing with the urgent and critical response efforts of the COVID-19 pandemic. It is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.” concludes the report.
“While this blog specifically focused on two campaigns, Unit 42 is tracking multiple campaigns with COVID-19 themes being used by threat actors on a daily basis and this trend is likely going to continue for weeks to come.”
(SecurityAffairs – Coronavirus-themed attacks, hacking)