EclecticIQ Pandemic Intelligence Update - Week 13

EclecticIQ Fusion Center analysts have observed escalatory and increasingly commercialized COVID-19 themed attacks in the last week.  

Initial attacks featuring COVID-19 themes began en masse, using simple phishing Tactics, Techniques, and Procedures (TTPs) common to average cyber criminals. The new pattern indicates COVID-19 related threats are rapidly evolving new attack patterns. This increasing activity indicates past attacks have been successful. Further attacks will continue along a similar aggressive trend. 

Key Findings 

• Independent researcher Marco Ramilli published a report detailing the most advanced activity-to-date. A well-designed exploitation chain leads to public PlugX variants aimed at info-stealing. There is no pattern to victimology outside of Windows machines being targeted. 
• A less sophisticated threat actor targeted a US hospital with a Distributed Denial of Service (DDoS) attack, doubling it up with an attempted disinformation effort and indicating the primary intent of the actor was general disruption.  
• Malware aimed at COVID-19 themes shows evidence of mass commercialization based on sample volume observed. Attack cadence is likely to continue at a high rate. 
• Fake and misleading information has become well-established on Social Media, which can further increase the efficacy of future attacks. 

Analysis 

In general, analysts observe threat actors developing TTPs with increasing ingenuity and deploying them in attacks that specifically exploit COVID-19 panic. Threat actors are using general commodity malware, which is less sophisticated, but the new stage of attacks is characterized by more advanced TTPs: multi-stage infections, well-obfuscated payloads, and designs to misdirect analysis. Fake information is also now building to significant levels that will enable further attacks and increase their efficacy from the deliberate confusion. Studies show that increased anxiety is directly linked to poor decision-making.  

Analysts observed reports of APT activity

The attack features a spearphishing email that leads to an infection with Plug-X malware for information stealing operations yet-to-be-identified. The attack reported uses more complex TTPs in the Kill Chain and the payload is well obfuscated during much of the exploitation phase. This attack is likely to be much more effective against Security defenses compared to other attacks analysts have seen to date with COVID-19 exploitation themes. 

Notable attack elements: 

• The attack targets Windows machines. There does not appear to be further pattern in victimology. 
• The attack uses spear phishing to deliver a *.lnk file disguised as a *.pdf attachment. This is likely to fool more recipients and assist in bypassing email filters. 
• The operation is well-designed with a specific multi-stage infection that demonstrates the attackers have deeper knowledge of Windows. 
• The initial payload is comprised of well-obfuscated code and uses multiple techniques to bypass security detections. 

The article suggests that the activity is attributed APT27, arguing that “PlugX is a well known RAT attributed to China’s APT” and that the “hijacking method are a mandatory knowledge for a job like pentesting [in China].” 

EclecticIQ analysts do not share this assessment. PlugX is a publicly available remote access trojan that has been used by other intrusion sets in the past. Attributing its use to a single intrusion set is not reliable. Furthermore, knowledge about hijacking and whether it is mandatory for a pen-testing job in China is not substantial evidence for an attribution to a Chinese APT.  

It is plausible that the campaign was executed by cybercriminals. Analysts observed similar general remote access staging activities taking place with many of the early Coronavirus phishing attacks (Cororna report citation). Much of that activity was directed with Emotet. 

The U.S. Health and Human Services Department was hit by a DDoS attack 

This week analysts observed cybercriminals target a hospital: 

The hospital recognized an attempted DDoS attack against its network. Concurrently, the same threat actors issued a fake message via text, email, and Social Media enflaming COVID-19 panic regarding lockdowns. The attack was likely operated by a younger common threat actor looking to create disorder. The clear intent to cause chaos and the weak DDoS attempt without exercising any objectives of real value, points to a person with low maturity. 

Notable attack elements: 

• The organization was able to detect the attack very early due to their proactive security posture. “On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter,” said spokeswoman Caitlin Oakley. 
• No data was lost and the network was not breached. “We had no penetration into our networks, we had no degradation of the functioning of our networks,” Health and Human Services Secretary Alex Azar said on Monday. 
• The two-pronged approach of attempting to disable health systems and creating confusion that would have further inundated these same systems created the potential for this attack to be much more severe if the Department wasn’t able to catch the attack early. It was also well-timed against the tweets from the President urging Americans to restrict activities on the same day. 

Analysts observed further misinformation efforts 
Just prior to a major update announcement in Australia, threat actors sent a fake message purporting a major lockdown was going into effect. It's unclear how the message initially gained traction, but it does not appear to have originated from a hijacked account or a spoofed account. It was likely amplified using a botnet to quickly distribute the message to a large group of initial victims. The fake message caused confusion for Australians and regional neighbours throughout the week. 

Generic types attacks are developing more effective attack patterns

During our initial investigation of COVID-19 themed phishing lures circulating in the wild, many operations focused social engineering efforts by spoofing official COVID-19 update resources. People naturally seek updated information during times of uncertainty. The “updates” were presented as simple documents.  

An attack observed this week used a persuasive, well-crafted global infection map. Antivirus detection on payloads dropped from the map site include the AZORult info-stealer; another MaaS (Malware-as-a-Service) family. 

The use of commodity malware like AZORult makes this attack less effective and suggests threat actors of less maturity. Antivirus products are able to detect commodity malware more easily because there have been more samples to fingerprint against. The use of the map graphic represents a more complex TTP used in these attacks. This type of weaponization ingenuity is the result of more threat actors participating in COVID-19-themed attacks. 

Evidence of mass commercialization of malware designed for COVID-19-themed attacks 

This activity is accelerating rapidly as domains and malware exploiting COVID-19 are increasing. An updated feed of newer, likely-malicious COVID-19 domains can be found here for investigation purposes in your threat intelligence platform.  

The trend of COVID-19 malware spreading is further supported by the following reports: 

• The different payloads (Kpot Infostealer, CoronaVirus-Ransomware) from this report were distributed from a site advertising a legitimate version of “WiseCleaner” - a general, auto-system-clean-up tool. The malware variants are both available to license as a Service (MaaS).
   
• Threat actors used a malicious Android app that redirected users to a malicious install landing page. When the installation completes, the malware gains admin privileges and locks the user out of their phone with a threatening message.
  
  The malware can be disabled by entering the lock code “4865083501”, then going to the settings  page, and removing the malware’s device admin rights and uninstall it. A similar process may work with booting into SAFE mode. 

• Analysts also observed COVID-19 news used by Emotet and Trickbot to evade detection. Trickbot and Emotet have become cornerstones of the MaaS marketplace. This activity was expected, since COVID-19 provides a great opportunity. The TTPs fall in-line with those used by previous variants: spearphishing (targeted, tailored phishing campaigns) for initial access with a well-obfuscated payload that is launched from a multi-stage exploitation and installation phase. 

EclecticIQ analysts observed Emotet variants using similar TTPs to bypass spam filters, except they were stuffing material from impeachment related articles into the metadata fields. This indicates that the crypters (software used to encrypt and obfuscate malware) used in these TTPs are effective at increasing delivery rates. In both cases, the crypters used information from high-interest, recently published media articles. 

Observing different payloads coupled with common attack pattern TTPs is an indication of participation from lower-skilled threat actors seeking to capitalize on the low-hanging-fruit that the COVID-19 presents. Attack rates appear to be increasing currently and as the situation escalates, so will the TTPs. 

Social media disinformation is now well-established and will increase attack efficacy 
A limited subset of the activity appears to be highly politically motivated, which may indicate limited APT involvement, but the majority of the activity is aimed at common patterns of disinformation, which analysts are accustomed to seeing at this point. The disinformation does not appear to be directed at a specific future attack and is likely the result of many threat actors participating, but not necessarily cooperating. 

It is important to continue to clarify and specify official information channels so that employees are less susceptible to bad information.