NTT Ltd. released its GTIC Monthly Threat Report for the month of July 2020 which states that there has been a multitude of phishing campaigns, leveraging a slew of newly registered (likely illegitimate) domains to host malware or information stealers using the subject of COVID-19 as a lure.
The Global Threat Intelligence Center (GTIC) protects, informs, and educates NTT Group clients through threat research, vulnerability research, intelligence fusion and analytics.
Although similar tactics are reported last month, NTT Group states that it appears that the tactics and strategies of threat actors are becoming more sophisticated and more focused on aspects such as industry, geography (including country-specific phishing lures as the virus becomes more prevalent in that country), as well as considering the shopping and deliveries of the potential victim.
Attacks from Advanced Persistent Threat (APT) actors continued to be on the rise, despite COVID-19; in fact, the virus has added fuel to the fire and has provided a cover for their operations.
One new spam campaign using the Covid-19 theme has been discovered targeting Italians with Trickbot information-stealing malware. These emails have a subject of ‘Coronavirus: Informazioni importanti su precauzioni’ and contain a malicious Microsoft Word document.
Research suggests that, when opened, the malicious Word document prompts the victim to click on the ‘Enable Content’ button to properly view the message.
Once a recipient clicks on ‘Enable Content’, malicious macros will be executed which extracts various files to
install and launch the Trickbot malware. If successfully installed, Trickbot gleans information from the compromised
system and attempts to move laterally through the connected network to gather more information. Any information acquired is then sent back to the attackers.
Organisations and industries that are considered as essential were increasingly targeted: power grids, oil and gas, postal and delivery services, first responders and law enforcement– assets which are even more valuable during a global crisis.
Key findings:
APTs, particularly those suspected to be backed by nation-states, are focusing on intelligence-gathering efforts on COVID-19 research
APT groups with links to Iran have attempted to breach the World Health Organization (WHO) via phishing campaigns, likely seeking information on testing, treatments, or vaccines
Extortion, espionage, financial gain, and disinformation were the key objectives behind APTs conducting various operations, especially now, during a global crisis
Companies researching the disease should expect to be targeted, whether for purposes of medical advantage to better treat or prevent COVID-19, for monetary gain or purely to inhibit the target from making progress
In addition, APT32 attackers linked to the government of Vietnam have been targeting China, reportedly over its perceived lack of accurate information dissemination during, and the overall handling of the initial outbreak
Normal APT operations have also continued during this same timeframe; and operations related to – or leveraging– Covid-19 have served as a smokescreen as countries continue to focus their efforts in response to the pandemic, from both healthcare and cybersecurity perspectives
Considerations:
As businesses continue to digitally transform and rapidly expand their footprint, they’ve been looking for a network that balances cost, user experience, agility and efficiency. The answer, and solution is a software-defined wide area network (SD-WAN), a virtualized network overlay and a lightweight replacement for traditional physical WAN infrastructure.
While WAN technologies have some native security features, unless reviewed holistically, it’s likely not enough to ensure your SD-WAN is inherently secure. It is a fundamental requirement to do a risk analysis and assessment that considers your organization’s risk profile at the outset of designing your SD-WAN and selecting appropriate security controls
As the threat landscape evolves, even the organizations that may not be considered an essential service cannot let their guard down. Enterprises must continue to adopt best practices and build awareness in both their network environment and their global state of things.
Leveraging intelligence capabilities and resources from around the world, NTT Ltd.’s threat research is focused on gaining understanding and providing insights into the various threat actors, exploit tools and malware.
New malware campaigns
Threat actors are also employing ransomware under the guise of security software. One new ransomware, called
CoronaVirus, is being distributed via a site claiming to encourage the use of system optimization software from WiseCleaner.
The active downloads on this site are distributing a file called WSHSetup.exe, acting as a downloader not only for the
CoronaVirus ransomware, but for a password-stealing Trojan called Kpot as well.
If Kpot is successfully executed, it attempts to steal login credentials and cookies from internet browsers, VPNs,
email accounts, messaging programs, cryptocurrency wallets and other services.
Another tactic recently observed is leveraging Oski information-stealing malware to hijack a router’s DNS settings. In this attack, internet browsers display alerts for a fake COVID-19 information app from the World Health Organization (WHO). Some users have reported browser windows opening on their own, subsequently displaying a message prompting them to download the ‘COVID-19 Inform App,’ allegedly from the WHO.
Additional research showed that these alerts were being caused by attackers changing the DNS settings on home
D-Link or Linksys routers to use DNS servers operated by the attackers. It is unknown at this time as to how attackers
are gaining initial access to these routers in order to change the DNS configuration, but it is thought that the router was likely enabled for remote access with a weak or default admin password.
Another campaign is using an open redirect (a web addresses which automatically redirects users between a source website and a target site) for the HHS.gov website. This redirect is being leveraged by attackers to push malware
onto targeted systems, again, using coronavirus-themed phishing emails.
