Threat Research

Latest Global COVID-19/Coronavirus Spearphishing Campaign Drops Infostealer

By Val Saengphaibul | April 02, 2020

FortiGuard Labs Threat Analysis 

Affected platforms:       Windows Platforms
Impacted parties:          Global Distribution
Impact:                          Infostealer
Severity level:                Medium

FortiGuard Labs recently discovered a new COVID-19/Coronavirus-themed spearphishing email sent from [159.69.16[.]177] that uses the World Health Organization (WHO) trademark in an attempt to convince recipients of its authenticity. The email contains the subject line “Coronavirus disease (COVID-19) Important Communication[.]”. It also includes an attachment entitled “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj” that appears to contain additional information, but which in fact is a decoy.

The body of the email contains multiple points about infection control and other suggestions and recommendations, which is obviously a lure to further compel the recipient to continue reading. And in a twisted fashion, the messaging pretends to address misinformation related to COVID-19/Coronavirus. 

Figure 1. Email Body

Although the document appears to be written by someone who has a good grasp of English, there are some obvious grammatical, punctuation, and spelling issues that lead us to believe that English is likely the second language of the author. Another obvious error is the usage of “Centre” for the “Centre for disease control”, which does not correlate with the CDC in the United States. The CDC uses the American spelling of the word (Centers for Disease Control and Prevention), is not located in Switzerland, and is wholly independent of the WHO.

Figure 2. Email Body

Details

Contained within the email attachment is the “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj” compressed file, which can be opened with 7-Zip. ARJ is a compression format for creating highly efficient compressed archives. The attackers behind this latest attack likely hope that the ARJ format might allay the concerns of an unsuspecting victim about opening an unknown attachment, given that the populace has been trained to not open suspicious file extensions such as .exe. Below are some of the details of this ARJ attachment:

“COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj”
Size:370.68 KB
[SHA256- 9e17f5e70c30ead347b68841fa137015d713269add98f0257fb30cc6afdea4fe]

Figure 3. Compressed ARJ file

When decompressed in 7-zip, we can see that the file now has a “DOC.pdf.exe” extension rather than the “Doc.zip.arj”. Perhaps the attackers are hoping that by this point the victim might either have a lapse of judgment or simply not see the .exe extension at the end, and ultimately click on the executable file. Here are the details of the decompressed PE file:

“COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.pdf.exe”
Size:664.50 KB
[SHA256- f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e]

Figure 4. Decompressed PE file

Once run, the victim is infected with Lokibot, which is an infostealer.  Lokibot steals a variety of credentials, including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials. Exfiltrated information is passed to the following URL:

hxxp://bslines[.]xyz/copy/five/fre.php

Lokibot is distributed in various forms, and in the past has been distributed in zipped files along with malicious macros in Microsoft Word and Excel. It has also been documented leveraging the exploit CVE-2017-11882(Office Equation Editor) via malicious RTF files. It is also important to note that Lokibot was once sold in the cyber underground. But since its source code was leaked, there now appear to be multiple versions of Lokibot in existence, all of which are modifications of the original code.

As Lokibot has already been covered in detail by us here and here, we will leave out the technical details of this malware as they have already been well documented.

Figure 5. Global Spread

While this campaign was first observed on March 27, and based on our telemetry, its distribution is now worldwide. Our analysis of this particular campaign reveals that the following countries comprise the Top 10 sites targeted by this campaign: Turkey (29%), Portugal (19%), Germany (12%), Austria (10%), and the United States (10%) top the list, with Belgium, Puerto Rico, Italy, Canada, and Spain rounding out the top 10 with less than one percent each.

Solutions

Security Hygiene: To combat this threat, FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis. Organizations are also urged to maintain a proactive patching routine whenever vendor updates are made available. If it is deemed that patching a device is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards.

Training: Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. Employees should also be reminded to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution. Further, because of its manner of distribution, it is crucial that end users are educated to spot social engineering attacks through training and impromptu tests delivered by email from the security team.

Initial Access Mitigation: FortiMail or other secure mail gateway solutions can be used to block specific file types, including phishing attacks, and disarm threats before they reach the user. FortiMail can also be configured to send attachments to FortiSandbox, whether on-premises or in the cloud, to determine if a file displays malicious behavior. FortiGate next-generation firewalls with anti-virus enabled and a valid subscription are also able to detect and block this threat.

Fortinet Solutions: If user awareness training fails and a user opens a malicious attachment or link, FortiClient running the latest this-to-date virus signatures will detect and block this file and associated files.FortiEDR is also able to detect and defuse this attack before it can impact the targeted endpoint device.

Mitigation

Antivirus:

The files highlighted in this report are currently being detected with the following antivirus definitions: 

File Name: “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj”
[SHA256: 9e17f5e70c30ead347b68841fa137015d713269add98f0257fb30cc6afdea4fe]
Detected as: W32/Fareit.FRQ!tr

File Name: “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.pdf.exe”
[SHA256: f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e]
Detected as: W32/Fareit.FRQ!tr

Web Filtering:

The following network IOCs are currently blacklisted by FortiGuard Web Filtering:
C2: hxxp://bslines[.]xyz/copy/five/fre.php

Spam Relay:

159[.]69[.]16[.]177

Exfiltration and C&C: A FortiGate located at each of your ingress and egress points with its Web Filtering service and up-to-date definitions and/or Botnet Security enabled will detect and block any observable outbound connections if configured correctly.

Malicious Word Document Protection FortiGuard CDR (Content Disarm & Reconstruction) processes all incoming files, deconstructs them, and strips all active content from those files in real-time to create a flat, sanitized file. CDR fortifies zero-day file protection strategies by proactively removing any possibility of malicious content in your files.  This is supported in FortiMail, FortiGate and other products.

MITRE ATT&CK

Spearphishing Attachment

ID: T1193
Tactic: Initial Access
Platform: Windows, macOS, Linux

Scripting

ID: T1064
Tactic: Defense Evasion, Execution
Platform: Linux, macOS, Windows

Defense Evasion

ID: T1064
Tactic: Defense Evasion, Execution
Platform: Linux, macOS, Windows

Standard Application Layer Protocol

ID: T1071
Tactic: Command And Control
Platform: Linux, macOS, Windows

Standard Cryptographic Protocol

ID: T1032
Tactic: Command And Control
Platform: Linux, macOS, Windows

Indicators of Compromise

Lokibot

File Name: “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj”
[SHA256: 9e17f5e70c30ead347b68841fa137015d713269add98f0257fb30cc6afdea4fe]
Detected as: W32/Fareit.FRQ!tr

File Name: “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.pdf.exe”
[SHA256: f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e]
Detected as: W32/Fareit.FRQ!tr

Network IOCs:hxxp://bslines[.]xyz/copy/five/fre.php

Spam Relay: 159[.]69[.]16[.]177

Empowering CTA

FortiGuard Labs has shared the findings in this report with fellow Cyber Threat Alliance members, including file samples and indicators of compromise. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit cyberthreatalliance.org.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.