Investigating Phishing Attacks Exploiting Coronavirus Themes
The outbreak of Coronavirus (COVID-19) has become a global issue attracting many opportunistic threat actors. Monitoring these attacks allows threat intelligence analysts to track adversarial capabilities; observe changes in tactics, techniques, and procedures (TTPs); and hypothesise how they may feed into future threats. Analysts mapped the landscape of Coronavirus phishing threats in order to evaluate what threat actors were participating in the operations and to determine if further activity is likely to cascade from the initial, delivery-phase activity.
On December 31, 2019 China alerted the World Health Organization (WHO) to several cases of pneumonia in Wuhan. EclecticIQ analysts observed reports of phishing attacks using coronavirus themes in late January 2020. To analyse how threat actors use the information in new attacks, EclecticIQ analysts began collecting information for initial discovery.
EclecticIQ conducted a thorough investigation into a Coronavirus-themed email attack case study from early in the Coronavirus media storm period. IBM released one of the first threat intelligence reports detailing one pattern of attack using Coronavirus information.
From the report above, the sample below served as the primary entry point for further investigation of Coronavirus-themed attacks by EclecticIQ. The investigation began with analysis of Sample 1.
|Format||Office Open XML Document|
|First Seen||2020-01-29 07:51:44|
Sample 1 contacts the domains and URLs:
Further documents used by the malware sample (SHA256):
Analysts used the initial findings from the IBM report to pivot and discover additional lures and infrastructure belonging to further attacks. Connections from Sample 1 were explored in depth and attacks were mapped to better detail the threat landscape of attacks weaponizing Coronavirus fears. Results were analyzed in parallel to threat intelligence from the EclecticIQ Threat Intelligence Platform, where attack patterns were modelled, and STIX entities were further fused with open source intelligence.
Based on evidence gathered from exploring TTPs exploiting Coronavirus fears via email, observed between the December 31 2019 alert to the WHO and now, the attacks have not been highly targeted, with the exception of the 4 Coronavirus lures containing impeachment-related metadata. EclecticIQ analysts found five attack patterns in use, two of which, have not been previously described.
- Attack Pattern: Targeting Individuals with Coronavirus Lures Promising Updated Information. This was described in this report. EclecticIQ analysts discovered further lures related through file connections.
- Attack Pattern: Spearphishing Shipping and Manufacturing Companies with Coronavirus Themed Invoice Lures. This was described partially in this report. EclecticIQ analysts observed additional C2 connections in support of related attacks.
- Attack Pattern: Mirroring CDC Webpage Content to Spoof Official Coronavirus Updates. This was described in the following report:
- Attack Pattern: Delivering Lures With Targeted Political Metadata to Pass Through Spam Filters and Increase Delivery Rates. These include the 4 lures mentioned above. They communicate with the same “easytogets[.]com” domain from the IBM report listed in 1. This is a new attack pattern.
- Attack Pattern: Using a Jpeg File for Enhanced Initial Emotet Delivery. The jpeg file includes TTPs and C2 (52.16.25[.]241) that are isolated from other infrastructure (9f4790a3accc0efd45e83f85ae36138cc76fa8692e5cae54dde3ce8672f53c4a). The date is a week earlier than the first batch of samples associated with Sample 1. EclecticIQ analysts posit that this lure is part of a further attack or campaign that is not able to be fully described here. This is a new attack pattern.
Analysis: Pivoting to Further Lures
Sample 1 represents an attached phishing lure document. The file shows strong similarities, based on composition and C2 configurations and malware used, to further documents, which all use very similar phishing TTPs.
The earliest batches of phishing attacks discovered using Coronavirus-themed phishing lures, began 29.01.2020 and end by 07.02.2020. The attacks all use MaaS (Malware as a Service) including Emotet, AZORult, and Nanocore, (et. al.) are all prominent MaaS families on Dark Marketplaces.
Some of the attacks use a two-year-old Microsoft exploit CVE-2017-11882. This older, known exploit combined with generic lure titles in that attack and others, provide strong evidence that these attacks are operated by lower skilled threat actors seeking to monetize any opportunistic access. Further malicious activities are very likely to follow from the attacks.
The great majority of attack patterns download Emotet payloads using scripts exploiting Microsoft Office macros. The Emotet variants, in some cases, lead to installation of further commodity RATs (Remote Access Trojans) including AZORult, Nanocore, and Parallax (https://www.proofpoint.com/us/corporate-blog/post/coronavirus-themed-attacks-target-global-shipping-concerns and https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html). EclecticIQ analysts performed a deeper analysis of the domains from the IBM report. EcelcticIQ analysts discovered that the batch of similar lures links have titles taken from Indonesian regional languages.
|Drhuzaifa[.]com||“huzaifa” is Hausa and loosely translates to “raid”|
|Dewakartu[.]info||“dewakartu” is Malayic and loosely translates to “god”|
|Dewarejeki[.]info||“dewarejeki” is Indonesian and loosely translates to “god of fortune”|
IBM reported lures from the C2 attached to Sample 1 targeting Japanese users on 01.29.2020, but did not report the possibility of Indonesian regional victims being targeted. Hausa is a Chadic language with the largest number of speakers, spoken as a first language by some 44 million people, and as a second language by another 20 million.
The domain titles above serve files with random document titles, such as:
- invoice_XTNJ01_440354272.doc ad1b015460e501db7d73a64b2918a243c5ef6c3329e001a7581a61a4f190966f
- invoice-WX3_79544459.doc 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732
The files deliver commodity RATs like Emotet, and follow pray-and-spray TTPs used in mass spam campaigns. In these attacks threat actors use relatively simple TTPs to target the largest mass of users.
EclecticIQ analysts found one lure with a Japanese title related to Sample 1 in format, size, timing, and targeting and communicating files (2ef26921d7a4fc0916f1498ec4681fe0c0488400ce5151044682578ba837c682), that was submitted from both Japan and Canada on the same date, 31.01.2019.
The domain names strongly suggest that Indonesian users were targeted and the geographic submission points imply users in Canada were also targeted in the same campaign described in the IBM report. Analysts were unable to find lure samples matching the Indonesian regional languages. It is possible the threat actors did not have command of these languages and simply used English lures, since English is common globally. The implementation of phishing C2 that is not matched to the target is a TTP associated with threat actors of low capability.
VT reports the hash of Sample 1 submitted from both the United Arab Emirates and Canada on 29.01.2020.
Documents of similar format, structure, size, packaged files that also use the same initiating script as Sample 1: “vbaProject.bin”, and link to the same C2 by 2 or fewer proxy-hops, and dropped malware variants from the same family, were submitted from:
- Czech Republic on 29.01.2020 (88d5d1509e854571dd896023d135cb4b1adaf2f777efb222e0c2a876f957d0ca, 5d38dde5e54925a4693d50c7ff8b765773ca26fcf4afea34b442177766b6e115)
Document lures of very similar structure:
- Canada on 29.01.20194c9e35f3d5f555dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb https://www.virustotal.com/graph/g869fa064e9c94028a6bab4194e9d93d92233474e08214744ae848815e0596665
- Bahrain on 29.01.2019 4261c07ae29b1f2dd17fd0970190b2211fd1611603db699df0f1271365f387eb https://www.virustotal.com/graph/g869fa064e9c94028a6bab4194e9d93d92233474e08214744ae848815e0596665
- Russia on 29.01.2019 c0e391424b6a16b733dbce3fa1c5eed1c972ec1e72c198d811d5b8314da941bb https://www.virustotal.com/graph/g869fa064e9c94028a6bab4194e9d93d92233474e08214744ae848815e0596665
The geography of the submissions is evidence that the same operators of the campaign targeting Japanese users also reached victims in these other countries. Targeted attacks do not typically share C2 across broad geographies (per above samples). Targeted attacks are much more subtle and obfuscated, employing more limited C2.
Analysis: Pivoting to Further C2
Much of the C2 connected to the further lure samples discovered above, overlap with previous, unrelated MaaS activities.
- 182.187.137[.]199 has been identified as a previous Heodo botnet C2 https://www.virustotal.com/gui/ip-address/18.104.22.168/details
- 81.16.29[.]109 resolved to rahasiabola.info, a known malicious domain scanned on 2019-11-20 https://www.virustotal.com/gui/domain/rahasiabola.info/relations
The domain registrations of the earliest batch of lure samples time well against international disease escalations.
17.01.2020 - The Center for Disease Control and Prevention (CDC) announces the agency, in conjunction with the Department of Homeland Security's Customs and Border Prevention, will implement health screenings at three airports. Passengers traveling on direct or connecting flights from Wuhan to Los Angeles (LAX), San Francisco (SFO), or New York (JFK) will undergo screenings for symptoms associated with COVID-19.
22.01.2020 - The WHO convenes an emergency meeting to determine if they should declare the virus a public health emergency of international concern (PHEIC).
All C2 discovered in the attacks are activated after the US announces it will start screening people beginning 17.01.2020. Retrospectively, this is the point where global tension and attention start to rise sharply around CV and possible spread. All of the C2 domains previously listed, which the lures contact upon initialization, remain up for 1-3 days, with only a few exceptions. This type of behaviour is expected from non-targeted attacks.
Of all lures discovered, the great majority have a “first seen” date of 29.01.2020. They disappear by 07.02.2020. Analysts interpret this behaviour as a response caused by increased exposure from threat intelligence reporting:
Analysis: Pivoting to Further Attacks
Analysts discovered a further C2 address communicating with sample 1: 45.55.179[.]121.
The address resolves (https://community.riskiq.com/search/22.214.171.124) to a domain (net-sec.com[.]ar) in Argentina hosting multiple Emotet Droppers https://otx.alienvault.com/indicator/ip/126.96.36.199
Looking further at info in AlienVault, we can see a PE file that launches Emotet (as with the other C2 from the IBM report) and contains the following wording in the EXIF Data section:
|EXE:FileDescription||“Debate over lunch, intense huddles on the Senate”|
|EXE:OriginalFileName||“Lindsey Graham, a top confidant of the President's”|
|EXE:ProductName||“Mitch McConnell in his office to talk over how and when the trial would conclude”|
This is a technique threat actors employ to avoid blacklisting software and get their spam delivered. The use of the politically-charged text is purposeful and serves to attract reader attention. The text originated from this article. The EXIF data fields can be overwritten by specialized software automatically. The technique also helps to obscure any metadata that might allow researchers to retrieve artefacts or patterns. Three lures are from 30.01.2020 and were uploaded from the US and Canada.
A fourth lure is alive from 01.02.2020 through 08.02.2020 and is uploaded several times from Germany (0ddde52ca3e01fdf8dbaff394135e34de7f446d8d47942329f9b9832b3b2246a). The similar Emotet and commodity RAT payloads further confirm a link to C2 presented by IBM. The difference in lures is likely an adaptation to the intended audience. Its notable that the 3 countries targeted by these lures are all Western and use timely, inflammatory text. Threat actors will change lures, but keep the same payloads who are simply looking to maximize the effect of their campaign.
Analysts found files similar to Sample 1 contacting additional C2 of interest. These documents were linked by an embedded file, named “vbaProject.bin” (11370bd6c67c5b2c93fead866566e4508ed21bbf675dd3bc8060c8ad6d7fb144), which links to three further samples of Emotet and supports these attacks as part of the same effort. The script stages additional Emotet variants, which also contact domains “easytogets.com” and “erasmus-plius.tomasjs.com” -from the IBM report.
- “easytogets [.]com” is very similar to “easytoget.co.in”, a popular IT services company based in India. Analysts also observed the domain “gsoman[.]com”, an IT services company based in Oman, serving similar malicious phishing documents.
- “Plius” is the word “Plus” in Lithuanian. “Erasmus+” is a popular online education platform in Europe. The domain is hosted on an IP address also based in Lithuania.
These domains share some of the same files. Both domains serve files “CImageButton.EXE” and “QuickWin.EXE”. Each file has the same corresponding date on from each domain, and the timestamps are within minutes of each other. The hashes are different, but the file size changes by 10 bytes or less. These TTPs are indicative of reusing/repackaging payloads -where the threat actor changes something insignificant in the payload to create a new hash value to bypass antivirus engines. This is a very common phishing TTP used to prolong individual phishing campaigns.
The file vbaProject.bin (11370bd6c67c5b2c93fead866566e4508ed21bbf675dd3bc8060c8ad6d7fb144) receives a positive detection as a THOR APT Scanner from the corresponding Yara rule:
|RULE_TYPE:||Valhalla Rule Feed Only|
|DESCRIPTION:||Detects a suspicious keyword often found in malicious samples by various actors|
Detection Timestamp: 2020-01-29 10:16
The domain “easytogets[.]com” was discovered serving additional different spearphishing files at the same time of the timestamps from the IBM report above:
- 0ddde52ca3e01fdf8dbaff394135e34de7f446d8d47942329f9b9832b3b2246a title: “from the White House Office of Management and Budget” (this is the same lure discussed earlier)
- 786e615145c7139c849c0d144724a2f9023ff8abae1d32116934a6a1e39bd20d title: “I think it's increasingly likely that other Republicans will join those”
- e8f809f69a173ed00b2573fda1acdaa9492c65789155294ef10dee8769016fd3 title: “Secondly, after the White House refused to allow staff to testify at the first”
- a1353d0a0d43cc7699deb9a4527b4c968a546ccb2e1e98c9061dc65256ebc179 title: “I think it's increasingly likely that other Republicans will join those”
These samples are very similar to the document (7ffa33942351eb0025959231e3d29972f38196a1c48e622462e8669116b6fb6f) mentioned earlier, communicating with the additional IP address (45.55.179[.]121) discovered. The lure themes use the same whitelisting trick from earlier. The text is taken from this article.
Analysts discovered a report by Imperva that details similar efforts to inject content to boost effectiveness of Coronavirus spam.
Analysts observe all 4 of these samples tie back to a highly nested C2 environment. These samples are supported by a much larger nexus of C2 IP addresses that tie together heavily and also have limited connections to some the other IPs or URLs studied. Highly connected and dedicated C2 environments like the one described is a TTP used by some APT groups to better hide and persist during a targeted attack.
Another IP address contacted by Sample 1 is 166.62.28[.]87 based in the US. This IP was found serving further spam. One of these documents related to Sample 1 (SHA256: 1080ed3ea480d268d8f19b2f562eb8353671a805db28d139f1bdc938ba1d99e6) contacts a Pakistan-based domain. Analysts used this IP address (182.187.137[.]199) to pivot to further Emotet payloads that have the same detection-name as the other Emotet payloads, and the IP address connects back to the “easytogets.com” domain reported from Sample 1. The lure files use similar, vague, generic numbered Microsoft document attachments.
A notable further detail is that AbuseCH tracks this address was previously controlled by the Heodo botnet from 04-01-2020 to 11-02-2020. All of the Emotet samples produced from this IP address all begin and end on 29-01-2020. EclecticIQ threat intelligence confirms this IP address serving Emotet sometime between 29-01-2020 and 03-01-2020.
Analysis: Pivoting to Further Samples
EclecticIQ analysts identified additional malware samples that link to drhuzaifa.com through the IP address 148.66.138[.]127 (https://www.virustotal.com/graph/g869fa064e9c94028a6bab4194e9d93d92233474e08214744ae848815e0596665). The dates and content of the lures differ enough that they are considered a separate campaign.
This set of lure documents largely uses random invoice titles. This TTP is indicative of companies and organizations being targeted rather than individuals. These probably represent shipping and manufacturing companies that are targeted in the report discussed here.
For example, File “INVOICE IP5934_206192.doc” with SHA256: 9f4790a3accc0efd45e83f85ae36138cc76fa8692e5cae54dde3ce8672f53c4a and is hosted at URL: hxxp://nobelco.ir/wp-content/u685bax-la-111648 based in Iran. In addition to communicating with the “drhuzaifa.com” domain, samples also contact URLs in Pakistan, Turkey, and Russia. Analysts do not expect legitimate invoices to contact multiple country Top Level Domains. The URLs involved with these domains also drop Emotet variants with similar detections to the batch included with Sample 1. The invoice-based attacks represent an escalation from the other phishing attacks targeting individuals.
One of the documents similar to Sample 1 (9f4790a3accc0efd45e83f85ae36138cc76fa8692e5cae54dde3ce8672f53c4a),had other files packed inside the primary lure file. One of these packaged files included a JPEG file, (42b400ef49aec2fcad8bccaa70b530d30d803cd29ced2639245050a3d0810854) first dated 2020-01-23, launches Emotet, and contacts C2 in Ireland (52.16.25[.]241) that is hosting safe and malicious domains (https://community.riskiq.com/search/188.8.131.52). The jpeg file was uploaded from Spain on 23.01.2020, earlier than the group of initial samples all dated from 29.01.2020 (https://www.virustotal.com/graph/g869fa064e9c94028a6bab4194e9d93d92233474e08214744ae848815e0596665). Looking at further history from this IP address, it previously hosted the domain WSE.uk. This domain was previously used to launch other commodity-type worm variants that included PoeBot from 14.07.2019 (fd18d521109431ac9ba7178fe5f5c42b271e4742cbdd53e755952866310a1ef5) and Parite from 26.07.2019 (ffe0d8c5420fd3b1698c1437564c351e21bf5ef78b40a891adb56f9f302ec791). These variants embed themselves into the target system and are polymorphic -capable of supporting a variety of further malicious functions (https://threatvector.cylance.com/en_us/home/blackberry-cylance-vs-parite-polymorphic-file-infector.html), (https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/POEBOT). The use of a JPEG file may indict stenography TTPs. The lure documents are all very generic and contain vague, numbered titles. These lures do not appear to be targeted based on the generic malware (now Emotet) and the generic titles of the documents. The C2 history of being used for MaaS operations further implicates this set of attacks as being non targeted.
EclecticIQ analysts have observed Emotet evolve into a robust MaaS (Malware-as-a-Service). Variants were deployed in large volume using opportunistic coronavirus lures to increase payload delivery. These attacks using Emotet and other MaaS RATs will likely to lead to further attacks since the malware deployed thus far is tailored for remote access functionality. EclecticIQ analysts did not observe further activity in the kill-chain. Analysts did not observe any TTPs using Coronavirus themes that were especially sophisticated and no not implicate APT activity. The attacks described in the report are operated by lower-skilled threat actors.
In earlier attacks against Germany in 2019, Emotet was used to download RYUK ransomware, targeting multiple organizations there (German Public Services Hit in Targeted Emotet Attacks). The TTPs used in that attack are similar to TTPs in this attack. They use Emotet to stage remote access and deliver the stager with spearphishing. Emotet implants carry a high risk because of the additional malware variants it can support. In the latest attacks, we do not observe any severe or advanced malware. CISA released an Emotet specific advisory just prior to the onset of attacks.
The great majority of attacks observed and discussed use TTPs that are most common to cybercriminals. We have not seen malware or C2 artefacts that are particularly sophisticated. There is limited encryption and obfuscation employed between samples and C2 and the C2 use TLS in limited cases. Furthermore, evidence shows that much of the C2 overlaps with previous attacks that also used generic malware. EclecticIQ analysts assert with high confidence that the attack patterns are operated by threat actors looking for simple financial gain by exploiting a common opportunity. The operations described in this report are likely info-gathering missions looking to gain access or data that can be sold or used on Dark marketplaces for future attacks.
Timeline of Global Activities Surrounding the Coronavirus*
|January 30 2020||Three lures sent containing political metadata.|
|January 30 2020||PHEIC|
|January 29 2020||The first batch of lures including Sample 1 are observed in the wild.|
|January 23 2020||The jpeg lure file uploaded from Spain.|
|January 22 2020||Tedros convenes an emergency committee to determine if the outbreak constitutes a public health emergency of international concern (PHEIC).|
|January 22 2020||CISA releases an Emotet specific advisory.|
|January 18 2020||Earliest C2 timestamp discovered.|
|January 17 2020||The Centers for Disease Control and Prevention (CDC) announces the agency, in conjunction with the Department of Homeland Security's Customs and Border Prevention, will implement health screenings at three airports. Passengers traveling on direct or connecting flights from Wuhan to Los Angeles (LAX), San Francisco (SFO), or New York (JFK) will undergo screenings for symptoms associated with 2019-nCoV.|
|January 15 2020||Japan's Ministry of Health, Labour and Welfare reports a case, also involving someone from Wuhan, China. Both Thailand and Japan begin screening people arriving from Wuhan.|
|January 13 2020||Thailand's Ministry of Public Health reported the first case of 2019-nCoV involving someone who traveled from Wuhan.|
|January 12 2020||China shares the genetic sequences of the novel coronavirus for countries to use in developing specific diagnostic kits.|
|January 11 2020||The National Health Commission in China tells WHO the outbreak is associated with exposures to a seafood market in Wuhan. Chinese authorities also identify a new type of coronavirus.|
|December 31 2019||China alerted WHO to several cases of pneumonia in Wuhan.|
Hash values representing lure samples and packaged lure files:
Domains and URLs