[BreachExchange] Beware malware-laden emails offering COVID-19 information, US Secret Service warns

Destry Winant destry at riskbasedsecurity.com
Thu Apr 9 10:24:23 EDT 2020


As the coronavirus crisis continues to capture everyone’s attention,
cybercriminals stay busy running scams and delivering malware using
the attention-getting virus as a lure. The threats from the scammers
and crooks, which began as early as January and continue unabated,
range from tricking people out of their financial data to delivering
pernicious malware.

Although some scammers use novel techniques to commit their crimes,
many schemes rely on tried-and-true phishing methods that exploit
unpatched software flaws that sometimes have stayed unfixed for years.
On April 1, the US Secret Service (USSS) sent out an information
alert, “Fraudulent COVID-19 Emails with Malicious Attachments,” that
warns about messages masquerading as COVID-19 status emails  from
employers, merchants and other businesses.

The USSS has uncovered attempted attacks that, using these faux
alerts, sought to remotely install malware on the infected system to
“harvest financial credential, install keyloggers, or lockdown the
system with ransomware.” The malicious attachments are usually
Microsoft Office or WordPad file types that exploit a now-patched
vulnerability in Microsoft Office, according to the alert. However,
the Secret Service says that variations exist and attack vectors

Patch Microsoft Office vulnerability CVE-2017-11882

Mark Coleman, assistant to the special agent in charge at the USSS’s
Criminal Investigative Division, tells CSO that the malware spreaders
were seeking to exploit the two-decades-old Microsoft Office memory
corruption vulnerability CVE-2017-11882, for which Microsoft released
a security patch in November 2017. CVE-2017-11882 is a common, and
even “prolific” technique for attackers to spread malware, involved in
over 600 incidents through the first three quarters of 2019, according
to researchers at Cofense.

The Secret Service also said that phishing emails disguised as coming
from a hospital, with the recipient notified they might have come in
contact with a coronavirus-infected person, also carry malware
attached to a downloadable Excel file, which exploits the same Office
flaw. “Similar to the fraudulent corporate COVID-19 emails, these were
Excel .XLSM files that likely were attempting to exploit the same
CVE-2017-11882 Microsoft Office vulnerability,” says Coleman.

The malware can steal login credentials, open shares on the networks,
and view all files and folders as well as discover and take
cryptocurrency information. A variation on this attack is an email
purportedly from the US Department of Health and Human Services (HHS)
targeting medical suppliers asking them to provide protective medical
equipment from an attached list that contains malware.

The HHS scammers sent emails that contained a .EXE file attachment
that carried a .PDF extension prefix in the file name, Coleman says, a
technique used to fool the recipients into believing they were opening
a PDF file containing a list of needed supplies. Coleman says they
think the executable deployed Agent Tesla to the potential victim
user, which logs keystrokes and captures credentials. Agent Tesla is a
time-tested piece of malware that also exploits CVE-2017-11882. It has
been sold to thousands of cybercrooks who pay subscription fees at
varied levels to license the software.

Multiple reports of COVID-19 scams

This combination of exploiting an irresistible topic and old and
unpatched vulnerabilities is powerful. “It is extremely normal for
people that target vulnerabilities to use really old vulnerabilities,”
Roger Grimes, a former security specialist at Microsoft and now a data
driven defense evangelist at KnowBe4, tells CSO. Around 25% of
organizations never get around to applying any given patch after it’s
pushed out, he says.

This creates the perfect conditions for madly successful phishing
campaigns. Around 80% to 90% of all successful exploits happen because
of social engineering, Grimes says, and 20% to 40% of successful
exploits happen because of unpatched software. Together they account
for 90% of all risks within organizations.

“We’ve seen a 670% increase in phishing in March mostly because of
COVID campaigns. It’s amazing how much effort and vigor phishers
have,” Grimes says.

Whether using proven or novel methods, scammers and malware purveyors
show no signs of slowing down as they piggyback on the fears
surrounding coronavirus:

Like the Secret Service, the Better Business Bureau received reports
of individuals posing as HHS employees using SMS messages to spread
word of a supposed online coronavirus test, which in reality led to
data-stealing malware.
Researchers at KnowBe4 reported the same kind of “you’ve come into
contact with a coronavirus-infected person” phishing email that the
Secret Service referenced. This phishing campaign delivers malware
that serves as a trojan downloader and detected by only a handful of
major anti-virus applications.
Researchers at IBM X-Force Threat Intelligence identified emails
claiming to be sent by the US SBA that appear to be a confirmation
email for an application for disaster assistance. Instead, the emails
deliver attachments that, when opened, execute Remcos malware that
installs a remote access Trojan (RAT).
Relatively early on in the coronavirus crisis in Western nations, the
UK’s NCSC warned of the creation of phishing campaigns pegged to the
coronavirus crisis, saying back in mid-March that cybercriminals were
creating phishing landing pages at a rapid clip.

Worldwide crackdown on COVID-19 scammers

Consequently, law enforcement agencies worldwide are vowing to crack
down on the criminals riding in on the wave of this deadly disease. US
Attorney Offices around the nation have announced their active
interest in prosecuting cybercriminals, including the US Attorneys
Offices for the Southern District of California and Western District
of Louisiana.

Earlier this week, the US Attorney’s Office in South Carolina even
formed a “COVID Strike Team” that pulls from a broad group of
law-enforcement resources including US Attorney’s Office, federal law
enforcement officers from an array of agencies, officers with the
South Carolina Law Enforcement Division (SLED), and members of the
South Carolina Attorney General’s Office.

Other countries are pushing to prosecute COVID cybercriminals. This
week Australia announced that its Signals Directorate is mobilizing
its offensive capabilities to bring down any criminals that exploit
the COVID-19 crisis.

USSS’s Coleman says that working with local law enforcement is key to
nipping these scams in the bud. “As a leading federal agency
responsible for investigating complex cyber-enabled fraud schemes and
training state and local partners how to do the same, we believe in
partnerships which act as a force multiplier,” he says. “By so quickly
and frequently disseminating criminal intelligence on real-time
threats to the general public and other stakeholders, we are able to
reduce the effectiveness and success of these emerging COVID-19

In the meantime, a joint alert from the US Department of Homeland
Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA)
and the United Kingdom’s National Cyber Security Centre (NCSC) issued
on April 8 regarding the exploitation of COVID-19 by malicious cyber
actors offers a series of steps organizations can take to mitigate the
risks of these actors causing damage. Regarding the kinds of phishing
schemes flagged by the Secret Service, the guidance recommends that

Make it difficult for attackers to reach your users.
Help users identify and report suspected phishing emails (see CISA
Tips, Using Caution with Email Attachments and Avoiding Social
Engineering and Phishing Scams).
Protect your organization from the effects of undetected phishing emails.
Respond quickly to incidents.

More information about the BreachExchange mailing list