Threat Research

Latest COVID-19 Variants from the Ridiculous to the Malicious

By Val Saengphaibul | August 10, 2020

FortiGuard Labs Threat Report

Affected platforms:    Various
Impacted parties:       Multiple (Individuals and Organizations)
Impact:                        Collects sensitive information from victims’ computers
Severity level:             Medium

With the spectre of the COVID-19 pandemic hovering over the world for the past six months, it is not surprising for a majority of the populace has become be desensitized to all the media coverage. Because of this, attackers are trying to squeeze out every last opportunity of using this topic as a lure – strategy commonly used for other major events, ranging from elections to tragedies to sporting events – before they are forced to move on. 

As first reported in our March blog, and described in subsequent reports you can read herehereherehere, and here, attackers have been seizing the opportunity to use the novel coronavirus COVID-19 topic as an effective lure because of its exceptionally high profile. COVID-19 was unique because it potentially affected every living human being on this planet. Because this was a hot topic at the time, causing panicked reactions that emptied store shelves and placed supplies of medical equipment on back order, the most responsive cybercriminals were among the first to exploit the issue. However, given that months have now gone by, it is only natural that the quality of these attacks has started to decline. 

Like most trending issues, event-based attacks are short lived. Attackers try to always stay one step ahead of their victims to social engineer them into clicking an enticing link or opening up what appears to be a benign attachment using various compelling reasons. For example, since most stores have restocked their shelves with things like toilet paper and hand sanitizer, and masks can now be purchased at any convenience store, phishing email looking to cash in on panicked buyers looking for those items have now become quite ineffective. Using themes that were relevant months ago but irrelevant now would be a waste of time, and ultimately have a low return on investment.  

However, this doesn’t stop many of the latecomer criminals from trying. To add to the many examples of attacks seen related to COVID-19 that we have reported on before, below are several examples found this week – ranging from the ludicrous to a new remote access trojan that people should really be aware of.

The Classic 419/Bill Gates/Lottery Scam Reinvented – Two Examples

Below is a phishing email with the subject “Covid-19 Fund Relieve Award”. 

Figure 1. Email example

The body of the email notifies the recipient that they are “the lucky winners in the Second Batch of the ongoing Google 21st Anniversary In-Conjunction with United Nations Covid-19 Fund Relieve Award as Organized by Google Head Office Management in California, United States of America.”

Besides the obvious grammatical, formatting, and punctuation errors, and the factual inconsistencies serving as a red flag, the fact that the content of the email claims to contain a monetary award from a major corporation means this email can be ignored and deleted. This is because no reputable company or organization alerts winners you of such a significant award via email. Other obvious warning signs include being awarded a prize of this sum out of nowhere, and that the issuing organization clearly has no grasp of even basic information, such as the first and last name of the winner. 

Even more obvious is the tying together the usage of the Google search engine and Internet Explorer (long replaced by Edge), developed by competing companies, as a reason why the award was given in the first place. One of the cardinal rules of identifying malicious emails is if it doesn’t make sense, it’s probably a scam.

Interestingly, this scam doesn’t live in a vacuum. Digging deeper, we found a variation of the email address used in this scam in another attack, shown below. In fact, we found that this email address, or some similar layout, has been used in at least 419 scams previously, like this one discovered in March. The WhatsApp phone number used in the email resolves to South Africa.

Once we open the attached PDF file in the second scam, UNITED NATIONS COVID-19.pdf, we immediately see trademark abuse of notable organizations, including that of the United Nations symbol, along with the ridiculous insertion of the Nazi Party logo for one of the ‘o’s in the Google logo, that should be an easy tell that this email is a fake.

Figure 2: PDF Attachment

Bitcoin Stimulus Package

This next example is another social engineering attack. This one attempts to look similar to some of the economic stimulus packages that are being offered in various countries. Some items to note, which are tell-tale signs that this is an obvious scam, besides the usual grammatical and formatting issues, is the fact that this letter is entirely devoid of details altogether. Somehow, the attacker hopes that a victim will fall prey to their scam even though the letter is completely unconvincing:

Figure 3: Example bitcoin phishing email

Clicking on the link takes you to [hxxps://cryptocurrencypandemicclaims[.]uc[.]r[.]appspot[.]com/cryptocurrencyclaims[.]hxxx] and pretends to provides you with the cryptocurrency exchange of your choice, allowing th victim to “Choose Your Wallet.” Victims with a Bitcoin wallet already set up are required to “login” to their wallet to claim the supposed bonus, giving the attacker the credentials necessary to access to the victim’s bitcoin wallet. 

Figure 4: Victim must chooses a wallet to continue

Clicking on one of the largest known exchanges (CoinBase) also highlights another phishing page that has the look and feel of the CoinBase page, minus the obviously incorrect URL:

[hxxps://cryptocurrencypandemicclaims[.]uc[.]r[.]appspot.com/home/coinbase/index[.]hxxx#]

Figure 5: Malicious sign-in page which has the look and feel of Coinbase

Once we enter an email address and password, the form below asks us to confirm the details again:

Figure 6. Form that sends off account data to a remote URL

Entered data is sent to a remote location that is a known phishing website hxxp://pwwebtraffic[.]com.

Figure 7. Form being submitted to pwwebtraffic[.]com

Checking with our FortiGuard Labs telemetry highlights that this domain has been rather active as of early June, which indicates a spam run:

Figure 8. Spike in traffic for pwwebtraffic.com over a six-month period

Figure 8b. Country visits to pwwebtraffic.com

Regarding visits to this domain, Venezuela accounts for 98 percent of total visits, while Australia, Canada, New Zealand, Germany, The United States, and Chile represent most of the remaining two percent.

A Payment Issue Leads to NetWire 

Figure 9. Example Email

Another recent COVID-19 lure that we’ve seen is this one that appears to be sent to a victim as payment has been delayed due to COVID-19. If an unsuspecting victim opens the attachment, “Payment_details.rar”, the resulting file (written in Delphi) will uncompressed and call the following Google Drive URL:

hxxps://drive[.]google[.]com/u/0/uc?id=1AiqquVw81WrAfMFGXfEbQ64Ipx0b-Igt&export=download

which hosts the payload, which is also a hex encoded file. 

The file will also contact the following IP addresses:  

172.217.18[.]14 (Google Drive)

46.38.151[.]236" (C2)

192.168.0[.]1 (Localhost)

and will write to registry location HKEY_CURRENT_USER\Software\NetWire.

It will also launch the process TapiUnattend.exe to connect to the C2 servers okamoto[.]hopto[.]org (46.38.151[.]236) over port 3871. This is a server located in the United Kingdom, with its namespace assigned to a company in Iran. This dynDNS URL, based on our telemetry, has been associated with the Azorult, Nanocore, and NJRAT malware families in the past as well.

Figure 10: Country visits to c2 server okamoto[.]hopto[.]org

The top three targeted regions, based on our telemetry, are Germany (40%), the United States (40%), and Austria (20%). 

Figure 11: Traffic to c2 server okamoto[.]hopto[.]org

Conclusion 

Even though COVID-19 lures are likely to dwindle due to its aging interest, we will likely continue to see attackers using broad, spray and pray tactics to lure potential victims into opening an attachment or following a nefarious link. Even though this topic is no longer as novel as it was several months ago, it still dominates news cycles. And the development of a quick email which takes several minutes to compose is still worth it to an attacker because there are still victims that will fall for these scams, providing cybercriminals with valuable information. 

To keep devices free from malware, and critical information out of the hands of criminals, we must still use effective cyber health practices. Train users to examine emails before clicking on links or opening attachments, implement more effective secure email gateway protocols to identify and eliminate more malware from getting through to users, deploy sandboxing technology to identify malicious content, use content disarm and reconstruction (CDR) technologies to strip malicious content out of email, and deploy web application firewalls to identify and block malicious links and outbound connections to C2 servers.

Mitigation

Antivirus:
Customers running the latest FortiClient Antivirus definitions are protected by the following signatures:

File Name: Payment_details.exe 

[SHA256: B673FE86224DBA05FA6B976AAA6561709B8B3FC370DCEF01C798D7F5D3414728]

Detected as: W32/GenKryptik.EKLE!tr

File Name: UNITED NATIONS COVID-19.pdf

[SHA256: AB3C3D51D50B253FF85052C195D146FE6A9192B496D22C13E72C8E561F06DB10] 

Detected as: PDF/Phishing.AUS!tr
 

Web Filtering:
The following network IOCs are currently blocked by FortiGuard Web Filtering:

Phishing:

hxxps://cryptocurrencypandemicclaims[.]uc[.]r[.]appspot[.]com/home/coinbase/index.hxxx#

hxxp://pwwebtraffic[.]com

Identified C2 Servers:
okamoto[.]hopto[.]org

FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that IPS be used for proximity control (a practice also known as virtual patching), and that a risk assessment is conducted to determine additional mitigation safeguards within an environment.

In the meantime, organizations are strongly encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage their employees to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution.

Initial Access Mitigation: FortiMail or other secure mail gateway solutions can be used to block specific file types such as the ones outlined in this blog. FortiMail can also be configured to send attachments to our FortiSandbox solution (ATP), either on-premises or in the cloud, to determine if a file displays malicious behavior. FortiGate firewalls with anti-virus enabled, combined with a valid subscription, are able detect and block this threat if properly configured.

Execution: Since it has been reported that these threats are being delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of the various types of attacks being delivered using this method. This can be accomplished through regular training sessions, combined with impromptu tests using predetermined templates by internal security departments within an organization. Simple user awareness training on how to spot emails with malicious attachments or links could stop initial access into the network.

Fortinet Solutions: If user awareness training fails and a user opens a malicious attachment or link, FortiEDR is able to prevent malware from executing. FortiClient running the latest up-to-date virus signatures will also detect and block these and associated files.

Exfiltration and C&C: A FortiGate located at each of your ingress and egress points with its Web Filtering service enabled, and with up-to-date definitions and/or Botnet Security enabled will detect and block any observable outbound connections if configured correctly.

Web Filtering: All network IOCs in this report have been placed on the block list by the FortiGuard Web Filtering service. FortiWeb web application firewalls (WAF) can also provide extra protection against web-based malware and attacks.

Malicious Word Document Protection: FortiGuard CDR (Content Disarm & Reconstruction), supported by FortiMail and FortiGate, processes all incoming files, deconstructs them, and then strips all active content from those files in real-time to create a flat, sanitized file. CDR fortifies zero-day file protection strategies by proactively removing any possibility of malicious content in your files.

Other Fortinet Safeguards: It is important to note that as attacks continue to become more sophisticated, they can sometimes circumvent your security defenses. This is why it is important to ensure that, in addition to a layered security strategy, you also have the ability to detect anomalous activity that could be malicious.

In addition, our Enterprise Bundle addresses these and similar attacks in a more comprehensive manner. The Enterprise Bundle consolidates all the cybersecurity services you need to protect and defend against all cyberattack channels, from the endpoint to the cloud – including IoT devices, providing you with the integrated defense needed to address today’s advanced threats, such as those outlined here, as well as address today's challenging risk, compliance, management, visibility, and Operational Security (OT) concerns.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.