This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

NEW! Cloud Security Gateway — SWG, CASB, and DLP in a single product.

Thursday, Mar 26, 2020

Malware Authors and Scammers Adapt to Current Events with Phishing and More

Malware Authors and Scammers Adapt to Current Events with Phishing and More

Share

Robert Neumann Senior Security Researcher
Mate Balatoni Security Researcher

Cyber criminals are opportunists that continuously evolve their methods of attack. And, as history has shown us, the bigger the global visibility of a cyberattack opportunity – be it government elections, religious holidays or global events such as we find ourselves in today – bad actors employ every tool in their arsenal to make the most of every attack opportunity.

According to the World Health Organization, email attacks impersonating that organisation have increased two-fold since the beginning of March. And this is just one of many examples of current cyberattacks posing as a trusted global organization, as every nation in the world is trying to manage through these unprecedented times.

Taking optimal advantage of world events, we are seeing trends of cyber attackers leaning into social-engineering that utilizes popular keywords – such as Coronavirus and COVID-19 – to execute online scams, phishing and malware attacks.

Following is an overview of recent global cyberattack trends Forcepoint has been tracking to give you a view into what to look out for and how to protect yourself against impending cyberattacks that take advantage of today’s global climate.

Standard Phishing

Phishing related campaigns have one goal - tricking people into entering their personal details or valuable credentials into a fake application or on a “legitimate” looking web site. Our first subject under analysis is pretending to be a missed call about a COVID-19 update. The email contains no text in the message body, but rather an attachment with an .htm” extension.

Figure 1 – Missed call email example

Upon a closer look, the attachment is indeed a simplistic HTML file with the sole purpose of directing people to a suspicious looking URL.

Figure 2 – HTML attachment of the missed call email

The window title will display "Fetching your audio file" while the web page is loading, and soon we will find ourselves on a fake Outlook portal. The username will be already pre-filled, only the password is waiting to be entered. Despite all the similarities we aren't dealing with an official Outlook portal here, look at the strange URL in the HTML attachment with the prepared email address. It’s always recommended to double check the destination we land on before entering any sensitive data.

Figure 3 – Fake Outlook landing page with pre-filled username

Different flavors of traditional spam

Trading on people's superstitions and fear is an old technique, especially in times when we are navigating through a serious global event with far reaching impact on communities all over the world.  Official, semi-official and unofficial advice is coming from every possible direction - along with a number of hoaxes.

  • How to strengthen our immune system?
  • What steps to take to prevent infection?
  • What are the natural ways to defend ourselves?
  • Which are the best masks to wear when travelling?

Figure 4 – Example of Coronavirus related spam

Most of these are valid questions to raise, however answers can vary widely, and it is easy to heed fake advice. Some of the recent spam campaigns are particularly focused on this technique. They either contain links to shady web sites and services or encourage people to buy a specific product which is supposed to help protect against Coronavirus and COVID-19.

Figure 5 – Face mask advertisement spam

When in doubt, research similar goods from reputable websites and brands you have purchased from before. And, starting research through official global health sources such as WHO or CDC can also help with debunking what is real and what may actually be detrimental to your health.

Figure 6 – Example of Health Improvement spam

New pitch for existing malware families

The examples above are from the lesser types of evil when it comes to the level of possible harm caused. Our final subject - despite arguably looking the most authentic, takes the damage potential up a notch. The email targeted those in Italy, purportedly during the time the country’s reported cases were continuing to increase.  It encourages the opening of the attached document, which it presents to be sent from the World Health Organization (WHO) with information covering all the necessary precautions against Coronavirus infections.

Figure 7 –fake WHO precautions email targeted towards Italians

Opening the attached Microsoft Word document will result in the following screen being displayed, asking users to follow the steps of enabling macros, unless the default security settings related to them were already modified.

Figure 8 – Malicious Word attachment asking for macros to be enabled

There are several macros in the document and they are also protected by a password to prevent editing. Fortunately, that can be worked around, so let’s have a look at the famous autoopen.

Figure 9 – Content of the autoopen macro

There is “DebugClassHandler” defined in the autoopen macro which would be automatically executed upon opening the document. Investigating it deeper quickly reveals the dropping of two files: “errorfix.bat” and “Ranlsojf.jse”. The former is a standard batch file meant to open the latter with the help of Windows’s inbuilt script interpreter.

Figure 10 – Source code of DebugClassHandler

As expected, the dropped “Ranlsojf.jse” is indeed a script file, actually a complex and heavily obfuscated JavaScript. It is usually referred to as the Ostap downloader family which is known for its strong ties to TrickBot.

Figure 11 – Part of Ostap’s obfuscated JavaScript code

At the end of the execution the JavaScript code will reach out to a pre-defined C2 server for downloading further payloads. In our case it was a variant of the TrickBot infostealer malware.

Conclusion

Under an extended period of stress such as a world-wide pandemic, anxiety and desperation can make it easy to let one’s guard down when it comes to online threats. Cybercriminals exploit these moments by playing on fears in the hope that we will fall for their carefully crafted scams. Whenever emails related to real-life events are received, we must remain vigilant and take the time to consider their authenticity. By practicing security vigilance on a daily basis, we can mitigate the impact cyber attackers can have during global events because we’ll already be looking for their exploits.                                                        

Attacker tools, techniques and procedures remain largely the same; only the theme of the lure has changed to align with current events. If kept up to date, your web and email security stack should remain effective against these adjustments in the threat landscape.

Protection statement

Forcepoint customers are protected against this threat at the following stages of attack:

Stage 2 (Lure) – Malicious emails associated with these attacks are identified and blocked.

Stage 6 (Call Home) – Attempts to contact command-and-control servers are blocked.

IOCs

hxxps://cubanananananana.blob.core.windows[.]net/

hxxp://track.ljmzf[.]com/aff_c?offer_id=9801&aff_id=6258&aff_sub=SW16M

hxxps://offerhub[.]buzz/

hxxp://www.aloofdorm[.]icu/

hxxps://194.87.96[.]100/1/1.php

About the Authors

Robert Neumann

Senior Security Researcher

Robert Neumann is a Senior Security Researcher in Forcepoint X-Labs. He focuses on various short- and long-term research projects, ranging from small scale malicious campaigns through niche malware and file formats to in-depth investigations and threat actor attribution. 
 
Robert is...

MB

Mate Balatoni

Security Researcher

Mate Balatoni is a Security Researcher in Forcepoint X-Labs.