Back in February, we reported on two Coronavirus-themed phishing emails. But just as the real virus spreads rapidly around the world, so too have the scams. Cyber criminals, proving beyond doubt they are completely devoid of morals, have ramped up their activities, unashamedly using all manner of Coronavirus lures to trick people. We are now seeing dozens of different email campaigns per day. Below are samples collected from our systems that some of what is currently out there.
Sample 1: Coronavirus: Informazioni important su precauzioni
This email is in Italian, directed at a country worst hit by the virus to date.
The Google translation is roughly as follows:
Important information on precautions
Dear Sir / Madam, Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!
The attachment is a DOCX Word document “f21203392637.doc” which contains a macro, which when executed leads to malware being dropped onto the system, firstly C:\MyImages\presskey.cmd, which is a simple loader for C:\MyImages\presskey.jse. This malware is known as OSTAP and functions to download the notorious Trickbot, a modular information stealer.
Sample 2: W.H.O. CORONAVIRUS SAFETY & PREVENTIVE MEASURES
This email, purporting to be from the World Health Organization, urges users to check the attachment for “health and preparedness steps”. The attachment is a RAR archive, containing an executable which is Hawkeye, a keylogger and information stealer.
File: WORLD HEALTH ORGANIZATION_PDF.gz (RAR Archive)
File: WORLD HEALTH ORGANIZATION_PDF.exe
Sample 3: Coronavirus disease (COVID-19) outbreak prevention and cure update.
Another sample purporting to be from the WHO, which states it has information on “common drugs to take for prevention and fast cure”. Of course, there are attachments to view, both of which are archives, a RAR and a ZIP, and both contain an executable, which is also Hawkeye.
FILE: Coronavirus Disease (COVID-19) CURE.zip
FILE: Coronavirus Disease (COVID-19) CURE.rar
FILE: Coronavirus Disease (COVID-19) CURE.exe
Sample 4: Supplier-Face Mask
This email claims to be from a manufacturer of face masks that has “started mass production’, and that “demand exceeds supply”. The attachment “Face Mask Quote” contains an executable which is none other than Agent Tesla, a common and readily available keylogging and info-stealing RAT.
Agent Tesla likes to harvest credentials from browsers and other applications and exfiltrate that data via SMTP. To give you an idea of the kind of data that is captured, see the screenshot below:
File: Face Mask Quote.zip
File: Face Mask Quote.exe
Sample 5: WHO Donate Now
Unlike the others, this email does not contain malware. Again it purports to be from the WHO, and merely asks you for bitcoins to support the cause. At the time of writing, this bitcoin wallet did not have any transactions against it, so hopefully, the campaign was a FAIL for the bad guys.
Sample 6: Covid -19 Temporary Suspension of Activities
This email, interestingly from ‘thewho.com’ is badly written and claims:
“Here enclosed official statement on the current situations Globally. See attached upon reviews and Temporary suspension of activities.”
The email has an HTML attachment (as opposed to the HTML message body) WHO-COVID-19 Updates.pdf.HTM which contains php code that retrieves HTML content and crudely attempts to harvest email address and password credentials – in a completely untargeted way.
FILE: WHO-COVID-19 Updates .pdf.HTM
Sample 7: Transfer Copy
This email claims to be from a supplier in China that, due to Coronavirus, has had delays in releasing payments. The attachment ‘Trnasfer_copy.pdf.z’ is a RAR archive that contains an executable, that is Agent Tesla.
File: Trnasfer_copy.pdf.z (RAR archive)
File: Trnasfer_copy.bat (PE File)
Cyber criminals increasingly use social engineering techniques like those in these phishing emails to trick victims into infecting themselves with malware. They piggyback on the “tried and true” techniques that have been used by “confidence men” since the dawn of time. Those techniques take advantage of elementary emotions like greed, curiosity, and in these cases, the very valid fear of COVID-19. Fear can make anyone impulsive, but in these times it’s more important than ever to combat the misinformation that might pollute your inbox with facts.
Trustwave Secure Email Gateway (SEG) can detect and block the email scams that are mentioned in this blog.