Threat Research

Scammers Using COVID-19/Coronavirus Lure to Target Medical Suppliers

By Val Saengphaibul | May 01, 2020

FortiGuard Labs Threat Analysis 

Affected Platforms:    Microsoft Windows
Impacted Users:        Medical Device Suppliers
Threat Severity:          Medium

FortiGuard Labs has discovered a new malicious spearphishing campaign, once again using the COVID-19/Coronavirus pandemic as a lure. This latest email campaign targets a medical device supplier, wherein the attacker is inquiring about various materials needed to address the COVID-19 pandemic due to high demand for supplies, and includes a compelling statement that they have already tried to reach the recipient via telephone in order to create a stronger sense of urgency:

Figure 1. Spearphishing email

The email contains multiple misspellings, such as the subject “Inquiry on Medical Sipplies – [company name REDACTED.inc]” that contains an attachment which is purports to contain details of the inquiry, which is misspelled as well:

Meducal Inquiry – L.A.B. Equipment.doc 

[SHA256 - 4dd71997e35a38826d34c780f98f7707da4aeb83622f86b4b644a3651fe4ad35] 

The attachment is a maliciously crafted Word document, utilizing the infamous CVE-2017-11882 (Office Equation Editor) vulnerability. Once opened, the file will download a file called pov.exe from a predefined URL:

hxxp://pussyclub88.com/vendor/composer/files/pov.exe

which downloads the following file:

Pov.exe [SHA256 - 9f087cc15d7f6f69f46563b5e58ca6141d4687beeec5230f6cb11dc3ae52f1cc]

This file is the Agent Tesla infostealer. Once executed, Agent Tesla will exfiltrate information to a predefined C2, located at miketony-tw[.]com.

Digging Deeper – Are Simon Paul/Peter Jones/Emeka Jude/James Stacey/ElCanto Jones related, and are they from Abuja, Nigeria?

Investigating further, we see that the domain owner for miketony-tw is registered to an email address of: elcantojones[@]gmail.com, with the registrant name being Simon Paul of Goa, India:

Figure 2: Whois information for c2 server

Using Domain Tools, we noticed that elcantojones[@]gmail.com has over 194 domains associated to this email address. This account specializes in various typosquats, as the initial command and control for the Agent Tesla sample reaches out to the malicious domain miketony-tw.com. This is a spoof of the legitimate domain mikeandtony.com.tw, which specializes in the distribution of industrial sewing machines and parts.

As we dug deeper into the domains belonging to Simon Paul “elcantojones[@]gmail.com”, three domains stuck out to us. Two were typosquat sites, citi-corp.com and ddservice.biz. When we dug deeper into citi-corp.com historical WHOIS information, we saw something interesting.  

Figure 3. Historical WHOIS Information for citi-corp.com

Back in in 2018, the domain was pending delete, meaning it was to be deleted from WHOIS records. The listed name of the person associated with the domain was “Emeka Jude”, who is from Abuja, Nigeria and uses the email address of james.staceyllb[@]yahoo.com. Performing an internet search on this email address reveals that it had been part of the notorious 419 scam.

Figure 4. Example of james.staceyllb@yahoo.com observed in a 419 scam (courtesy aa419.org)

Although the domain was dropped and renewed by Simon Paul later on, could it be that this domain had been forgotten and then reregistered under a newer, harder to track alias?

Another domain that was registered to elcantojones[@]gmail.com was ddservice.biz, but under the alias of “Peter Jones” in the state of Idaho, in the United States.

Figure 5. Historical WHOIS Information for ddservice.biz

Performing an internet search for ddservice.biz takes us to the Artists Against 419 page, and reveals that it, too, was part of a 419scam:

Figure 6. Example of ddservice.biz observed in a 419 scam (courtesy aa419.org)

Conclusion

Since security professionals have been conditioned to spot 419 scams, the individuals behind them have realized that they must evolve in order to expand their reach. Because of the availability and ease of use of commodity malware, we have observed these attackers becoming a little more sophisticated by their use of Agent Tesla, as well as the use of other known commodity tools to make their plans a little less obvious. However, due to slips and poor OPSEC practices, it is easier for security researchers to make attribution to possible threat actors in spite of the lack of detail by the actors themselves. 

Solutions

Security Hygiene: To combat this threat, FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis. Organizations are also urged to maintain a proactive patching routine whenever vendor updates are made available. If it is deemed that patching a device is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards.

Training: Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. Employees should also be reminded to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution. Further, because of its manner of distribution, it is crucial that end users are educated to spot social engineering attacks by training, and through the delivery of impromptu tests via email sent surreptitiously from the security team.

Initial Access Mitigation: FortiMail or other secure mail gateway solutions can be used to block specific file types, including phishing attacks, and disarm threats before they reach the user. FortiMail can also be configured to send attachments to FortiSandbox, whether on-premises or in the cloud, to determine if a file displays malicious behavior. FortiGate next-generation firewalls with anti-virus enabled and a valid subscription are also able to detect and block this threat.

Fortinet Solutions: If user awareness training fails, and a user opens a malicious attachment or link, FortiClient running the latest up-to-date virus signatures will detect and block this file and associated files. FortiEDR is also able to detect and defuse this attack before it can impact the targeted endpoint device.

Mitigation

Antivirus:
Customers running the latest FortiClient Antivirus definitions are protected by the following signatures:

File Name: Meducal Inquiry – L.A.B. Equipment.doc 
[SHA256 - 4dd71997e35a38826d34c780f98f7707da4aeb83622f86b4b644a3651fe4ad35]  
Detected as: MSOffice/CVE_2017_11882.B!exploit

File Name: pov.exe 
[SHA256 - 9f087cc15d7f6f69f46563b5e58ca6141d4687beeec5230f6cb11dc3ae52f1cc]
Detected as: MSIL/Agent.AES!tr.spy

Web Filtering:
The following network IOCs are currently listed as malicious by FortiGuard Web Filtering

C2:
miketony[-]tw[.]com

Malware Download: 
hxxp://pussyclub88[.]com/vendor/composer/files/pov.exe

Email security: FortiMail Secure Email Gateway protects the email threat vector against Spam, Phishing, Business Email Compromise and malware with multiple layers of security, preventing threats from reaching the inbox.  FortiMail is able to detect and block this threat.

Malicious Word Document Protection FortiGuard CDR (Content Disarm & Reconstruction) processes all incoming files, deconstructs them, and strips all active content from those files in real-time to create a flat, sanitized file. CDR fortifies zero-day file protection strategies by proactively removing potentially malicious content from your files. This is supported in FortiMail, FortiGate, and other products.

Exfiltration and C&C: A FortiGate located at each of your ingress and egress points with its Web Filtering service, up-to-date definitions, and/or Botnet Security enabled will detect and block any observable outbound connections if configured correctly.

MITRE ATT&CK

Spearphishing Attachment
ID: T1193
Tactic: Initial Access
Platform: Windows, macOS, Linux

Account Discovery
ID: T1087
Tactic: Discovery
Platform: Linux, macOS, Windows, Office 365, Azure AD

Clipboard Data
ID: T1115
Tactic: Collection
Platform: Linux, Windows, macOS

Data Encrypted
ID: T1022
Tactic: Exfiltration
Platform: Linux, macOS, Windows

Exfiltration Over Alternative Protocol
ID: T1048
Tactic: Exfiltration
Platform: Linux, macOS, Windows

Exploitation for Client Execution
ID: T1048
Tactic: Exfiltration
Platform: Linux, macOS, Windows

Input Capture
ID: T1056
Tactic: Collection, Credential Access
Platform: Linux, macOS, Windows

Obfuscated Files or Information
ID: T1027
Tactic: Defense Evasion
Platform: Linux, macOS, Windows

Process Discovery
ID: T1057
Tactic: Discovery
Platform: Linux, macOS, Windows

Remote File Copy
ID: T1105
Tactic: Command And Control, Lateral Movement
Platform: Linux, macOS, Windows

Screen Capture
ID: T1113
Tactic: Collection
Platform: Linux, macOS, Windows

Standard Application Layer Protocol
ID: T1071
Tactic: Command And Control
Platform: Linux, macOS, Windows

System Information Discovery
ID: T1082
Tactic: Discovery
Platform: Linux, macOS, Windows, AWS, GCP, Azure

System Time Discovery
ID: T1124
Tactic: Discovery
Platform: Windows

Uncommonly Used Port
ID: T1065
Tactic: Command And Control
Platform: Linux, macOS, Windows

System Time Discovery
ID: T1124
Tactic: Discovery
Platform: Windows

Video Capture
ID: T1125
Tactic: Collection
Platform: Windows, macOS

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.