Please Note: Check this blog for frequent updates on adversary activity related to COVID-19.
As the COVID-19 pandemic continues to take hold in various geographical locations, government and businesses are rapidly changing how and where they operate to ensure the safety and health of their employees, customers and partners. This environment is dynamic, and the continually shifting paradigm has significant consequences on organizational security posture. “Work from home” is becoming the new normal for organizations hoping to flatten the curve of the pandemic. For some organizations, remote work has been ongoing for several years, and the new push is simply a matter of scaling up existing solutions and policies. In many other environments, work from home is a foreign concept; technology, operations and policies are not prepared for this new reality, and several challenges are being encountered such as:
- Use of personal devices and email for business or handling sensitive information
- Provisioning corporate assets to support remote working arrangements
- Proper deployment and configuration of remote services, corporate VPNs and related two-factor authentication methods
Adversaries are keenly aware of these challenges and the opportunities for abusing this situation to their advantage. This blog provides an overview of tactics and observed cyber threats beginning in January 2020 through publication.
Tactic Highlight: Phishing
Phishing remains the primary initial access vector for a variety of threat actors. Successful phishing attacks frequently play to greed or fear in the victim. The infamous “Nigerian Prince” schemes are an example of the use of greed, where the promise of riches entices the victim to do things they ordinarily wouldn’t do. In the case of the COVID-19 pandemic, fear abounds, and the awareness of the pandemic itself is global. Phishing attacks promise new information about the virus or updates on official guidance.
In addition to what has been observed, CrowdStrike® Intelligence assesses with high confidence that it is likely for additional phishing campaigns to make use of lures aligned with health guidance, containment and infection-rate news to increase over the next few months.
In addition to phishing lures leveraging health-related interest, there is also a possibility that actors could take advantage of more employees working from home, and move toward lures attempting to spoof company guidance and procedures, human resource correspondence and company information technology (IT) issues and resources.
While such exploitative operations have not been directly observed at this time, targeted intrusion adversaries in particular have relied on job-themed and human resource-themed lure documents over the last few months. In a situation where employees will increasingly rely on email communications to continue business operations, the threat of phishing campaigns attempting to mimic official business communications will likely increase.
Observed Activity: eCrime
As the pandemic continues to evolve, CrowdStrike has observed sustained eCrime activity across the board, including some with COVID-19 themes. Campaigns have been observed in multiple languages, using multiple attachment types and various levels of COVID-19 information, demonstrating that the scope of these campaigns has been and is likely to remain wide. COVID-19-themed activity has followed the path of the virus as it has moved from Asia across the world. As news about the situation in various locales emerges, the themes and targets change — for example, with recent news of the desperate situation in Italy, WIZARD SPIDER was observed deploying dynamic web inject files that solely target customers of Italian financial institutions, with the intent of stealing credentials for accounts.
One of the earliest eCrime actors to capitalize on the COVID-19 outbreak was MUMMY SPIDER in late January 2020. This actor used Japanese-language spam spoofing a public health center in order to distribute the Emotet downloader malware, which subsequently led to the download and install of WIZARD SPIDER’s TrickBot.
CrowdStrike Intelligence has continued to identify multiple campaigns distributing additional eCrime threats, such as Gozi ISFB, Nemty ransomware, SCULLY SPIDER’s DanaBot, GRACEFUL SPIDER’s GetAndGo Loader and the Latin America-targeted malware Kiron. There have also been instances of eCrime actors attempting to sell COVID-19-themed tools, including a phishing method using a payload preloader masked as a COVID-19 map.
Observed Activity: Targeted Intrusion
Despite the impact of COVID-19 on their respective countries, CrowdStrike Intelligence has observed multiple nation-state-affiliated targeted intrusion adversaries remaining active with spear-phishing campaigns throughout the last few months. Moreover, many of these adversaries have already been observed using COVID-19-themed operations: China-based PIRATE PANDA was observed using COVID-19-themed lure documents in February 2020; Democratic People’s Republic of Korea (DPRK) adversary VELVET CHOLLIMA has also remained active and recently leveraged a COVID-19-themed lure document to deliver its unique BabyShark malware against South Korea-based organizations.
Tactic: Targeting Remote Services
It is possible that companies will increase the use of software as a service (SaaS) and cloud-based remote connectivity services in order to enable and support employees working from home. Standing up remote working services could pose a potential security risk when combined with possible human-error-enabled security lapses.
Criminal actors in particular continually seek to collect credentials for these services, potentially allowing them to gain access to these SaaS accounts and victim organization data. The eCrime big game hunting (BGH) ransomware industry in particular leverages Remote Desktop Protocol (RDP) brute forcing or password spraying for initial entry. As many sophisticated BGH actors remain highly active at present, they will likely attempt to capitalize on possible staffing disruptions COVID-19 may bring to organizations, as well as attempt to compromise employee devices while they work remotely.
Tactic: Vishing Robocall and Tech Support Scams
As employees shift to flexible work arrangements such as telecommuting, they will increasingly rely on phone communications to maintain and continue business operations. Adversaries will likely take advantage of this situation and conduct malicious operations attempting to mimic official business communications. Such operations could include voice phishing or “vishing” and robocall scams, as well as technical support scams.
Criminals have been observed using the COVID-19 outbreak as a theme in vishing and robocall scams. A portion of these calls have initially focused on targets on the U.S. West Coast, as well as industries affected by the outbreak, such as transportation and travel. In some cases, vishing can be combined with smishing (text message phishing) in order to perpetrate such scams or load malicious content onto mobile devices.
Technical support scams use various delivery methods including phone calls, pop-up warnings or redirects. Although the theme of these scams may not be directly related to COVID-19, the increase in office workers transitioning to remote work in the near term poses the risk of increased tech support scams targeting those individuals, who may not be adept at or self-sufficient in remote computing.
Recommendations for Defending Against COVID-19 Scams
As the global COVID-19 outbreak grows, CrowdStrike assesses that malicious cyber threat actors will continue to take advantage of the situation. As such, it is imperative that businesses and employees remain aware of the potential cyber threats they face while they make transitions to alternative business continuity plans, and that they are informed of the immediate steps they can take to mitigate potential risks.
CrowdStrike recommends adopting a strong defensive posture by ensuring that remote services, VPNs and multifactor authentication solutions are fully patched and properly integrated, and by providing security awareness training for employees working from home.
In order to help customers cope with these new and unexpected developments, CrowdStrike is offering two new limited-time programs. They address the challenges introduced by the large number of managed and unmanaged devices being used by newly remote workers.
Observed Activity Update: Monday, April 6
Last week, CrowdStrike Intelligence observed the following notable threats using COVID-19 themes.
- On March 27, 2020, a COVID-19-themed phishing campaign with the subject “COVID-19 UPDATE !!” was sent to victims, purportedly from the World Health Organization (WHO), with a malicious attachment named “Covid-19_UPDATE_PDF.7z.” The 7-zip archive contained an executable sample of the information-stealing malware LokiBot (CSIT-17123). The World Health Organization (WHO) did not send this email; please read this security alert [who.int] for more information.
- On March 30, 2020, an unattributed adversary sent a phishing message using the spoofed sender alias CDC Health Alert, referring to the U.S. Centers for Disease Control and Prevention (CDC), which contained the subject “CDC-INFO-Corona Virus Viccine found.” The message included an attached Gzip archive named “Covid-19 Vaccine.gz.” This archive contains the commodity NanoCore RAT, which is widely available in the criminal underground.
- On March 31, 2020, CrowdStrike Intelligence identified a second email impersonating the CDC to deliver NanoCore. The message body was apparently derived from a publication on the official CDC website. Instead of leveraging an attachment to deliver NanoCore, this email prompts recipients to “download the vaccine” from a Microsoft OneDrive link. The message body additionally advises victims to contact a UK phone number if needed: “If you have more question please sms or Whatsapp me on: [UK phone number] on how to use the Vaccine.” The use of a contact number is not common in criminal spam campaigns.
- A lure website referencing COVID-19 (masry-corona[.]com) was identified in use during March 2020 by distributors of the Culebra Variant information stealer to attract internet visitors. The malware is commonly used to capture Latin-America-based banking customers’ credentials.
- AgentTesla continued its capitalization on the COVID-19 pandemic by distributing a spam campaign purportedly from Group Life and Health with the subject “Important Notice to Our Corporate Clients & Partners – COVID -19.” The spam email contained the RAR archive attachment named “COVID-19 Communication to corporate Clients..rar.” The archive file contained an executable file named “COVID-19 Communication to corporate Clients..exe.” This executable is a sample of AgentTesla that communicates with the command-and-control (C2) server rajalakshmi[.]co.in.
- CrowdStrike Intelligence has obtained several Korean-language exploit documents themed with information pertaining to the COVID-19 pandemic in the Republic of Korea (ROK). Upon execution, these documents attempt to deliver two previously unobserved payloads. The exploit used in this activity and the targeting of individuals likely in the ROK is congruent with previously observed Democratic People’s Republic of Korea (DPRK) operations; however, the payloads do not have any direct technical overlaps with tools used by any tracked DPRK adversaries. CrowdStrike Intelligence assesses with moderate confidence that it is likely that these exploit documents were deployed by a DPRK-aligned group but does not attribute this new activity to a named adversary at the time of this writing.
Observed Activity Update: Monday, March 30
Adversaries continue to use social engineering techniques and malicious documents referring to Coronavirus Disease 2019 (COVID-19). This week, CrowdStrike Intelligence observed the following notable threats using COVID-19 themes.
- CrowdStrike Intelligence identified scam emails spoofing the World Health Organization (WHO) with requests for financial donations to the COVID-19 Solidarity Relief Fund. The emails copy legitimate communications from WHO regarding the fund, but list an adversary-controlled Bitcoin (BTC) wallet address for payment. The World Health Organization (WHO) did not send this email; please read this security alert [who.int] for more information.
- A malicious website (corona-virus-map[.]net) posing as a COVID-19 map was identified dropping SCULLY SPIDER’s DanaBot banking trojan. The web inject primarily targeted U.S.-based financial institutions.
- On March 23, 2020, CrowdStrike Intelligence obtained a phishing message impersonating a U.S. government agency and using the subject line “COVID-19 – nCoV – Special Update – WHO.” The message contained an attachment named “covid-19 – ncov – special update.doc.” When opened, this file exploits a vulnerability in Microsoft Equation Editor and subsequently issues a GET request to download a file located at http[:]//getegroup[.]com/file.exe that leads to a WarZone remote access tool (RAT) sample. This malware uses phantom101.duckdns[.]org for command and control. WarZone is a commercially available RAT commonly used by cybercriminals.
- On March 23, 2020, a COVID-19-themed DNS hijacking campaign was identified that reportedly attempts to trick users into downloading Oski Stealer. By altering the DNS settings for D-Link and Linksys routers, users are directed to an actor-controlled site that claims WHO has released a COVID-19 information application.
- Compromised versions of an Android application called “SM_Covid19” are being distributed to unsuspecting users. The hijacked versions allow for the download and execution of additional malicious code on a user’s device. The original app was developed by an Italy-based company to assist with applying social-distancing protocols during the COVID-19 pandemic.
- CrowdStrike Intelligence identified a malicious Microsoft Office exploit document with Mongolian-language lure content uploaded to a third-party file-scanning service. When opened, the document displays decoy content bearing Mongolian Ministry of Foreign Affairs (MFA) letterhead, related to a COVID-19 press release by the People’s Republic of China (PRC). CrowdStrike Intelligence currently assesses there is an even chance this activity is associated with the KARMA PANDA (aka MysticChess) adversary. Further retrospective analysis has also identified suspected KARMA PANDA activity as early as December 2019.
- CrowdStrike Intelligence identified a COVID-19-themed lure document being used by VELVET CHOLLIMA to deliver its Konni implant. The file, titled “Keep an eye on North Korean cyber.doc,” uses macros in an attempt to contact C2 infrastructure. VELVET CHOLLIMA has used COVID-19-themed documents several times over the past few weeks and is likely taking advantage of this significant geopolitical event to entice its targets to open malicious documents and execute its malware.
- Unspecified actors repeatedly targeted the website of Mexico’s official news agency, Notimex, and posted false information regarding the COVID-19 pandemic using the organization’s hijacked social media accounts. The Notimex website and social media account were restored as of March 23, 2020.
Observed Activity Update: Monday, March 23
CrowdStrike Intelligence has additionally observed the following recent activity:
- On March 23, 2020, public reporting announced that some European-based hospitals had fallen victim to a Netwalker ransomware (aka KazKavKovKiz, Mailto, Mailto2 and KoKo) incident. The incident reportedly began on March 22, 2020, and used Coronavirus Disease 2019 (COVID-19) lures.
- Throughout March 2020, the RedLine information stealer has used COVID-19-themed spam purportedly originating from a project that simulates potential cures for diseases to evaluate their effectiveness.
- A new TrickBot dynamic web inject was distributed targeting customers of Italy-based financial institutions. It is highly likely that this is a continuation of efforts by WIZARD SPIDER to capitalize on COVID-19 — the group has used COVID-19-themed lures during distribution. The new dynamic web inject is likely seeking to exploit the inevitable increase in online banking by Italian users during the current lockdown conditions.
- On March 16, 2020, the Australian Cyber Security Centre (ACSC) reported a text phishing scam claiming to offer advice on local COVID-19 testing facilities. Interacting with the URL within the text dropped the commodity banking trojan Cerberus via a malicious Android application package.
- A Nemty ransomware (v2.6) sample was detected on March 18, 2020, targeting a government entity. The lure email spoofed the chief executive office of a healthcare organization and referenced an annual general meeting purportedly scheduled to discuss the pandemic.
- On March 18, 2020, TWISTED SPIDER announced it will refrain from infecting medical organizations until the pandemic situation stabilizes. Other criminal actors are also reported to be avoiding infections of healthcare sector entities.
- CrowdStrike Intelligence has observed ongoing MUSTANG PANDA activity since late February 2020 using lure content related to the COVID-19 pandemic. Observed incidents have used malicious shortcut files (LNK) to drop decoy documents in Chinese, English and Vietnamese.
- CrowdStrike Intelligence anticipates that hacktivism, particularly in Latin America and Europe, is likely to spike during the global COVID-19 pandemic, judging from hacktivist operations over the past week. During the past year, rates of hacktivism in Latin America have already been higher than normal, due mostly to political unrest in much of the region. These campaigns are likely to increase as other protest options narrow, given that widespread demonstrations and other large gatherings are increasingly prohibited in order to slow the spread of the virus.
- Read a blog on COVID-19 cybersecurity from CrowdStrike CEO George Kurtz.
- Learn more about the cybersecurity challenges during COVID-19 and recommendations for securing your remote workforce in blogs by CrowdStrike CTO Mike Sentonas and Chief Product and Engineering Officer Amol Kulkarni.
- Access resources to help you ensure the security of your organization and remote workers by visiting the CrowdStrike COVID-19 resource webpage.
- Watch an on-demand webcast featuring CrowdStrike Intelligence and endpoint security experts: “Cybersecurity in the Time of COVID-19.”
- Download the CrowdStrike 2020 Global Threat Report.