Welcome back to the Arctic Wolf COVID-19 Weekly Threat Roundup.
This series is part of how we're helping our customers and the broader cybersecurity community during this challenging period.
This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic. Each edition summarizes key cybersecurity news for the week and is organized by major themes.
Each item includes a new cyberattack, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with unique insights from the Arctic Wolf team.
You can read previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.
1. COVID Phishing Continues
“Hack for hire” Impersonates WHO
Attack summary: in this new wave of attacks, “hack for hire” firms are exploiting COVID-19 themes to target business leaders in financial services, consulting, and healthcare. These emails purport to come from the World Health Organization (WHO), and encourage targets to sign up for ongoing notifications regarding the pandemic. The supposed signup sites are carefully crafted to resemble the legitimate WHO site, but function as credential stealers, and may also solicit additional personal information.
Train employees, especially senior employees, about the risks of these spearphishing campaigns; encourage them to never provide login information in response to unsolicited communications
Use detection and response solutions to identify compromised credentials, or suspicious activity by compromised accounts
New FMLA campaign delivers Himera and AbSent-Loader
Attack summary: in this campaign, attackers used email subjects lines related to the Family and Medical Leave Act to induce targets to open their message, then download a document named “COVID-19 PESENTATION.doc”. This document contains a Himera executable, which performs a series of anti-analysis operations and then gathers additional binaries from a remote C2 server.
- Update mail and endpoint security with the latest IOCs to block malicious attachments
- Deploy detection and response solutions to identify compromised systems and suspicious connections to C2 servers
Additional FMLA Campaign Delivers Banking Malware BokBot
Attack summary: In this campaign, attackers also used emails referencing the Family and Medical Leave Act. The email claims to originate from a supposed “COVID-19 CENTER” using a spoofed address. The payload was a malicious document entitled FMLAINSTRUCTIONS.doc, which uses macros to deliver an executable, containing the BokBot malware.
- Use mail and endpoint security with regular updates to identify and block malicious attachments
- Train employees about the risks of macros
- Consider detection and response solutions to identify C2 connections and data exfiltration from malware like BokBot
Alpha Bank Phishing Campaign Distributes GuLoader
Attack summary: In this campaign, attackers impersonate Alpha Bank, one of the largest banks in Greece. The email refers to a fictitious “dalay in payment” resulting from the COVID-19 pandemic. The attachment contains GuLoader, an advanced malware downloader. Subsequent malware activity is consistent with an infostealer payload.
- Maintain email security training programs
- Use mail and endpoint security to block the listed IOCs
- Consider detection and response solutions to identify activity by GuLoader or infostealers
Researchers Analyze Common COVID-19 Malware Varieties
Attack summary: over the course of the pandemic, COVID-19 themes have been used to distribute a wide range of existing malware strains. In this report, researchers highlight five malware varieties as especially common among COVID-19 campaigns: AveMaria and LokiBot, Remote Access Trojans; NetWiredRC, a backdoor; AZORult, an infostealer; and DanaBot, banking malware.
- Ensure that endpoint and AV tools have been updated with IOCs for all major malware varieties
- Deploy security operations solutions to benefit from constant threat intelligence updates and managed detection tuning.
2. Mobile Phishing Tied to COVID-19
Researchers Report High Volume of Malicious COVID Texts
Attack summary: attackers have exploited multiple methods of distribution for COVID-themed campaigns. Researchers are now reporting that, at the peak of these campaigns as many as 5% of COVID-related SMS messaging may have been phishing or another high-risk attack, often employing URL shorteners to obscure malicious links. Another security group observed a 37% growth in mobile phishing encounter rates from the last quarter of 2019 to the first quarter of 2020.
- Train employees about the risk of phishing attempts targeting mobile devices through SMS
- Establish security policies for work use of employee devices
- Evaluate detection and response solutions that can integrate endpoint and mobile detection into broad security awareness
3. New Remote Work Threats
Office 365 Phishing Spoofs VPN Issue
Attack summary: In this campaign, attackers targeted employees using Office 365, which has seen an enormous spike in usage from pandemic-related remote work. The malicious email spoofs the company’s own domain and tells users they need to update their VPN configuration, then directs them to a credential-stealing page. Attackers hosted this page on Azure, creating the illusion of a legitimate Microsoft service; the SSL certificate meant that browsers would display the “secure” padlock on the malicious page.
- Train employees about the risk of phishing campaigns, including campaigns that may impersonate internal resources
- Use mail security best practices to help users identify external emails spoofing internal sources
- Use detection and response solutions to identify when credentials have been stolen by suspicious sites
Zoom Vulnerabilities Enable Code Execution (patched)
Attack summary: security researchers announced two vulnerabilities within Zoom, the popular video teleconferencing software, that would have permitted code execution. In one, a specially crafted message would exploit the pathway typically used to pull GIFs from a Giphy server to achieve arbitrary file write, and potentially arbitrary code execution. In the other, a specially crafted message would exploit the Zoom client handling of shared code snippets to achieve arbitrary binary planting and potentially arbitrary code execution. As per policy, researchers shared these vulnerabilities with Zoom, which issued patches.
- Because these vulnerabilities have been resolved, no action is required to protect employees from them in particular
- However, the ongoing discovery of vulnerabilities in major collaboration tools such as Zoom emphasizes the importance of a risk management solution to the security of a remote workforce