Despite reports saying attackers would hold off on cyber threats during the COVID-19 pandemic, the opposite seems to be true, a new report said.

Phishing attacks seem to be leading the pack of COVID-19 types of assaults, said researchers at Palo Alto Networks’ Unit 42.

While the various COVID-19 themed phishing campaigns observed by Unit 42 are numerous, researchers provided a more thorough picture and technical analysis of the cross-section between the various types of COVID-19 themed threats organizations may face during the ongoing pandemic.

One attack was the ransomware variant (EDA2) observed in assaults on a Canadian government healthcare organization and a Canadian medical research university, as well as an infostealer variant (AgentTesla) observed in attacks against various other targets (e.g, a United States defense research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, a research institute located in Japan and medical research facilities in Canada, Unit 42 researchers said.

Schneider Bold

The good news is none of the malware samples mentioned were successful in reaching their intended targets.

Between March 24, at 18:25 UTC and March 26 at 11:54 UTC, Unit 42 observed several malicious emails sent from the spoofed address noreply@who[.]int (actual sender IP address at the time of the attack was 176.223.133[.]91) to several individuals associated with a Canadian government health organization actively engaged in COVID-19 response efforts, and a Canadian university conducting COVID-19 research.

The emails all contained a malicious Rich Text Format (RTF) phishing lure, which, when opened with a vulnerable application, attempted to deliver a ransomware payload using a known shared Microsoft component vulnerability, CVE-2012-0158, said Unit 42 researchers Adrian McCabe, Vicky Ray and Juan Cortes in a blog post.

Even though the file name clearly references a specific date (March 23, 2020), the file name was not updated over the course of the campaign to reflect current dates, the researchers said. It is also interesting the malware authors did not attempt to make their lures appear legitimate in any way.

It is clear cybercrime campaigns are going after multiple critical industries dealing with the urgent and critical response efforts of the COVID-19 pandemic, the researchers said. It is clear from these cases the threat actors who profit from cybercrime will go to any extent, including targeting organizations in the front lines and responding to the pandemic on a daily basis.

While this blog specifically focused on two campaigns, ransomware and AgentTesla, Unit 42 is tracking multiple campaigns with COVID-19 themes used by attackers on a daily basis and this trend is likely going to continue for weeks to come.

Click here for more details on the specific attacks.


Pin It on Pinterest

Share This