Welcome back to the Arctic Wolf COVID-19 Weekly Threat Roundup.
We've developed this series to provide information for our customers and the broader cybersecurity community during this challenging period. This news is designed to help you and your team continue to defend your organizations from evolving cybersecurity threats during the COVID-19 pandemic.
Every Friday we summarize key cybersecurity news for the week and organize them by major themes.
Below, you'll see a list of new cyberattacks, with attack vectors, IOCs, and security recommendations (as applicable), combining credible open-source threat intelligence with insights from the Arctic Wolf team.
You can read through previous roundups on our COVID-19 blog feed, highlighted with the orange threat roundup banner.
1. COVID-19 Phishing Updates
Fake Banking Advice Deploys Trojan
Attack summary: In this campaign, attackers impersonate HSBC bank and offer an attachment supposedly containing “Payment advice.” The attachment is an ISO image containing an executable believed to be a Trojan. The subject line of the phishing email mentions COVID-19 but the body does not, continuing a trend where the latest COVID-themed phishing campaigns mix COVID messages with unrelated standard phishing themes.
- 8db4f32cb21d636a59afa76b553e18802098f117df1940e7f78402218bcb960d fbb838e50d66456115e0d8ac30bfd63eeba487de13cd25fbf8fceef7f2dd1ba9
- Ensure that mail, endpoint, and antivirus security is up to date with the latest threat intelligence
- Use risk management solutions to identify and prioritize software vulnerabilities for remediation
- Consider detection and response solutions to identify systems compromised by trojans
COVID Malspam Uses GuLoader to Deliver Payloads
Attack summary: GuLoader is a form of malware used to distribute other malware, primarily remote-access trojan payloads such as Formbook, NetWire, Remcos, and Lokibot. The malware was originally discovered in 2019 but has become more popular since, with researchers detecting over four times as many samples in April as in January. This malware is commonly used in malspam campaigns with COVID-19 themes. I
IMG and ISO Files
- Use mail security tools and best practices to protect organizations from phishing campaigns
- Use detection and response solutions to identify systems compromised by sophisticated malware delivery techniques
Scammers Promise Credential Compromise Scans
Attack summary: In order to protect themselves, individuals and organizations often seek out information to determine if their credentials have been compromised by attackers and released in a credential dump. Researchers have identified an online scam that purports to offer such a search in exchange for a fee. In reality, the attacker will not provide the service, or will simply provide information available through a free service such as haveibeenpwned.com.
- Only use trustworthy free sources for information on credential dumps
- For additional nonpublic information, evaluate legitimate account takeover risk solutions
- Remember that compromised accounts may be used by attackers without being collected by security researchers; implement security solutions such as detection and response that can identify sophisticated account compromise attacks
Phishing Campaigns Exploit File-Sharing Services
Attack summary: Attackers are exploiting legitimate file-sharing services in order to deliver malware without the need for compromised domains or infected attachments. Recent phishing campaigns used these legitimate services and COVID-19 related themes to encourage targets to open the malicious file. However, the file redirects targets to a credential theft site.
- Train employees about the risk of phishing campaigns exploiting multi-stage redirects through legitimate sharing services
- Use detection and response tools to identify credentials compromised by these methods
Fake IRS Email Hides Remcos RAT
Attack summary: the Remcos remote access trojan is a popular malware strain previously detected in COVID-themed campaigns. See April 24 and May 8 for earlier Remcos coverage in this threat roundup series. In this campaign, attackers impersonate the IRS and inform targets they are eligible for an aid package. However, the attached file contains the Remcos RAT.
- Update AV and endpoint tools to block known malware strains, especially high-prevalence ones
- Notify employees of the risk of malspam campaigns
- Implement detection and response to alert on C2 connections by remote access and infostealer malware
Ave Maria/WARZONE RAT Distributed Under COVID Subject Line
Attack summary: In this campaign, as in the HSBC campaign above, attackers mention COVID-19 in the subject line, but the text of the email contains no COVID reference. This highly generic spam email delivers the Ave Maria/WARZONE RAT, a remote access/infostealer Trojan first identified in 2018, to Windows 7 installations.
- Ensure mail and endpoint security is updated with signatures for both current and historic threats
- Use detection and response to identify connections to network IOCs
2. Other COVID-related attacks
New Italian Ransomware Impersonates COVID-Tracing App
Attack summary: a new ransomware strain, known as [F]Unicorn is attacking targets in Italy. The attackers used a phishing campaign inviting targets to a supposed beta of Immuni, the forthcoming official Italian COVID-tracing app. Once downloaded, the ransomware displays a coronavirus map (cloned from the ubiquitous JHU dashboard) while encrypting the target system.
- If infected, do not pay the ransom; there is no evidence that attackers are providing decryption in exchange for ransom payments
- Detection and response solutions can identify ransomware before it is able to encrypt target systems
State Unemployment Systems Under Widespread Attack
Attack summary: Last week, we reported on frauds committed against state unemployment insurance systems by one threat group, Scattered Canary. Now, researchers are reporting that cybercriminals are widely distributing tactics for these types of attacks.
- If your organization is involved in the distribution of any form of COVID-19 relief, reassess your security posture and aid distribution processes
- If your organization or industry is targeted by advanced attackers, there is a risk that many more will follow; consider sophisticated defenses such as detection and response and risk management solutions