COVID-19 Weekly Threat Roundup: May 29

May 29, 2020

Welcome back to the Arctic Wolf COVID-19 Weekly Threat Roundup.  

We've developed this series to provide information for our customers and the broader cybersecurity community during this challenging period. This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic.

Every Friday we summarize key cybersecurity news for the week and organize them by major themes.  

Below, you'll see a list of new cyberattacks, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.  

You can read through previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.  

1. COVID-19 Phishing Updates 

Fake Banking Advice Deploys Trojan 

Attack summary: In this campaign, attackers impersonate HSBC bank and offer an attachment supposedly containing “Payment advice.” The attachment is an ISO image containing an executable believed to be a Trojan. The subject line of the phishing email mentions COVID-19 but the body does not, continuing a trend where the latest COVID-themed phishing campaigns mix COVID messages with unrelated standard phishing themes.  

IOC(s)

Hashes

  • 8db4f32cb21d636a59afa76b553e18802098f117df1940e7f78402218bcb960d  fbb838e50d66456115e0d8ac30bfd63eeba487de13cd25fbf8fceef7f2dd1ba9 

Recommendations

  • Ensure that mail, endpoint, and antivirus security is up to date with the latest threat intelligence 
  • Use risk management solutions to identify and prioritize software vulnerabilities for remediation 
  • Consider detection and response solutions to identify systems compromised by trojans 

Source: exchange.xforce.ibmcloud.com

COVID Malspam Uses GuLoader to Deliver Payloads 

Attack summary: GuLoader is a form of malware used to distribute other malware, primarily remote-access trojan payloads such as Formbook, NetWire, Remcos, and Lokibot. The malware was originally discovered in 2019 but has become more popular since, with researchers detecting over four times as many samples in April as in January. This malware is commonly used in malspam campaigns with COVID-19 themes. I 

IOC(s)

URLs 

  • hxxps://onedrive[.]live[.]com/download?cid=1491235303209D1A&resid=1491235303209D1A!109&authkey=ACw2GiM8jfgliBs 
  • hxxps://drive[.]google[.]com/uc?export=download&id=1EQ7DIlAk9lk2E52DQLELmB02ADqw-62s 
  • hxxps://drive[.]google[.]com/uc?export=download&id=19sVk-ZTWHVl3_ITBst1x51qX2L28yNlw 

IMG and ISO Files 

  • 466a8de97917fdbc706ccad735ef08a4b049f802d01a03e4f611f75a132e4839 
  • 7aadacc7c5bb0c0319f8943d3c65ef2d41d49b1c470210e70e250dd665f167fe 

EXE Files 

  • 503f94f00304bc18900c3494f2da5bcb1d8a103a0b15ce00bbdaeb5dfd8d9b7b 
  • cbffd8f471de9728610b1edd4519f65399a8e64e46177e1178685ef6b081065b 

Recommendations

  • Use mail security tools and best practices to protect organizations from phishing campaigns 
  • Use detection and response solutions to identify systems compromised by sophisticated malware delivery techniques 

Source: labs.vipre.com

Scammers Promise Credential Compromise Scans 

Attack summary: In order to protect themselves, individuals and organizations often seek out information to determine if their credentials have been compromised by attackers and released in a credential dump. Researchers have identified an online scam that purports to offer such a search in exchange for a fee. In reality, the attacker will not provide the service, or will simply provide information available through a free service such as haveibeenpwned.com.  

Recommendations

  • Only use trustworthy free sources for information on credential dumps 
  • For additional nonpublic information, evaluate legitimate account takeover risk solutions 
  • Remember that compromised accounts may be used by attackers without being collected by security researchers; implement security solutions such as detection and response that can identify sophisticated account compromise attacks 

Source: info.phishlabs.com

Phishing Campaigns Exploit File-Sharing Services 

Attack summary: Attackers are exploiting legitimate file-sharing services in order to deliver malware without the need for compromised domains or infected attachments. Recent phishing campaigns used these legitimate services and COVID-19 related themes to encourage targets to open the malicious file. However, the file redirects targets to a credential theft site.    

IOC(s)

Email 

  • qmailq@cloud1-vm350[.]de-nserver[.]de 

URL 

Recommendations

  • Train employees about the risk of phishing campaigns exploiting multi-stage redirects through legitimate sharing services 
  • Use detection and response tools to identify credentials compromised by these methods 

Source: info.phishlabs.com

Fake IRS Email Hides Remcos RAT 

Attack summary: the Remcos remote access trojan is a popular malware strain previously detected in COVID-themed campaigns. See April 24 and May 8 for earlier Remcos coverage in this threat roundup series. In this campaign, attackers impersonate the IRS and inform targets they are eligible for an aid package. However, the attached file contains the Remcos RAT. 

IOC(s)

URLs

  • rex2017[.]freeddns[.]org 
  • rex2016[.]freeddns[.]org 
  • rex2016[.]hopto[.]org 
  • rex2015[.]freeddns[.]org 
  • jbarn[.]sytes[.]net 

Recommendations

  • Update AV and endpoint tools to block known malware strains, especially high-prevalence ones 
  • Notify employees of the risk of malspam campaigns 
  • Implement detection and response to alert on C2 connections by remote access and infostealer malware 

Source: exchange.xforce.ibmcloud.com

Ave Maria/WARZONE RAT Distributed Under COVID Subject Line 

Attack summary: In this campaign, as in the HSBC campaign above, attackers mention COVID-19 in the subject line, but the text of the email contains no COVID reference. This highly generic spam email delivers the Ave Maria/WARZONE RAT, a remote access/infostealer Trojan first identified in 2018, to Windows 7 installations. 

IOC(s)

URL 
http://info1[.]dynamic-dns[.]net/  

IP 
194.5.99.23 

Recommendations

  • Ensure mail and endpoint security is updated with signatures for both current and historic threats 
  • Use detection and response to identify connections to network IOCs 

Sources: exchange.xforce.ibmcloud.com

2. Other COVID-related attacks 

New Italian Ransomware Impersonates COVID-Tracing App 

Attack summary: a new ransomware strain, known as [F]Unicorn is attacking targets in Italy. The attackers used a phishing campaign inviting targets to a supposed beta of Immuni, the forthcoming official Italian COVID-tracing app. Once downloaded, the ransomware displays a coronavirus map (cloned from the ubiquitous JHU dashboard) while encrypting the target system.   

IOC(s)

URL 

  • http://fofl[.]it/ 

Recommendations

  • If infected, do not pay the ransom; there is no evidence that attackers are providing decryption in exchange for ransom payments 
  • Detection and response solutions can identify ransomware before it is able to encrypt target systems 

Source: bleepingcomputer.com

State Unemployment Systems Under Widespread Attack 

Attack summary: Last week, we reported on frauds committed against state unemployment insurance systems by one threat group, Scattered Canary. Now, researchers are reporting that cybercriminals are widely distributing tactics for these types of attacks.  

Recommendations

  • If your organization is involved in the distribution of any form of COVID-19 relief, reassess your security posture and aid distribution processes 
  • If your organization or industry is targeted by advanced attackers, there is a risk that many more will follow; consider sophisticated defenses such as detection and response and risk management solutions 

Source: krebsonsecurity.com

 

 

Previous Article
Why Shadow IT Could Create Major Issues for Your Remote Workforce
Why Shadow IT Could Create Major Issues for Your Remote Workforce

Shadow IT is becoming a major issue for organizations, as employees adopt to the new workforce. Learn the s...

Next Article
New Work Dynamics in Era of COVID-19 Expose Legacy Cybersecurity Issues
New Work Dynamics in Era of COVID-19 Expose Legacy Cybersecurity Issues

As companies struggle in a rough economy, bad actors are ramping up their efforts. Learn the common shortco...

×

Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Company
Country
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!