Threat Actors Spreading Malware and Phishing Attacks Using COVID-19 as Threat Vector

In December 2019, COVID-19 was first identified in Wuhan, Hubei Province, China. To date it has had worldwide repercussions, affecting millions of people globally. The pandemic has transformed the lives of people and changed the way we work. On account of the ‘new normal’, organizations worldwide have been compelled to shift to digital means for carrying out their business and sharing critical information. With the adoption of working remotely, businesses are met with critical cybersecurity challenges involving data protection and cloud computing. 

The current work-from-home situation has emerged as an opportunity for cybercriminals. When employees and their devices leave the physical boundaries of the office network, they are more susceptible to cyber risks. In addition, attackers are increasingly exploiting the COVID-19 crisis to design customized cyberattack campaigns, including phishing and malware attacks with the pandemic as the threat vector. Since the onset of the pandemic, there has been a marked rise in threat actors sending tailor-made emails containing information related to the virus. These emails contain legitimate-looking information and often ask victims to click on a link. The attackers also use other tactics to redirect their targets to malicious domains that can be further used for launching malware attacks. 
 
With criminal groups increasingly launching COVID-19-themed malware campaigns, the Cyble Research Team has been analyzing some of these malware campaigns. Our research indicates that attackers are using different attack vectors, including malicious pdf files, malwares embedded in LNK files, android malware, and malicious executables presented as documents related to COVID-19. The case studies discussed below present detailed information on these attacks. 

CASE 1: Covid-21 Windows Malware 

On performing the static analysis of the PE executable file, we found that the application name is shown as Covid-21 corona virus.  

Figure 1: Product Info given in file properties. 

The description contained an interesting string, which we ran in a Virtual environment. The file was found packed with UPX and the timestamp was set to the year 2010. 

Figure 2: Static information of the malware sample. 

It was interesting to note that the sample shows a pop-up alert once we execute the sample, as shown in the image below. 

Figure 3: Alert message after clicking malware sample. 

The malware sample also drops multiple files in the Appdata folder with the pop-up alert shown in Fig3. 

Figure 4: Malware helper files dropped in Temp folder. 

On selecting yes for the execution from the pop-up alert in Fig3, the batch file dropped as Covid21 in Fig4 carries out the primary infection processes. The batch file code analyzed is showcased in the image below.  

Figure 5: Covid21.bat file performing various malware operations. 

The Covid21.bat file creates a folder “Covid21” as seen in Fig5 and moves all the helper files to this folder. The batch file also executes other malware helper files, disables Task Manager & Windows Defender, along with the option to change wallpapers using registry entries. The Covid21.bat file also modifies the Master Boot Record, which contains the information on each hard drive partition. The batch installer tries to overwrite the MBR file with its own code to lock out users from their system. The execution of PayloadMBR.exe can be seen in the image below. 

Figure 6: Execution of the PayloadMBR binary and alert message boxes. 

Upon execution of the malware, the wallpaper is modified, and multiple message boxes are displayed on the home screen stating that the computer has been infected with Covid-21 Corona Virus, as seen in the image below. 

Figure 7: Changed home screen and message boxes shown after execution of the malware. 

 
The malware claims to be a Trojan, but its primary aim appears to be locking the bootloader and leading to a forced shutdown. After a short interval of time, a blue screen appears on the desktop stating that the system has crashed. 

Figure 8: Error message displayed after the execution of the malware. 

This malware sample takes an approach directed at complicating the malware analysis process by crashing the Windows kernel. On restarting the system, the message that appears is shown in the image below: 

Figure 9: Display screen on restarting the system. 

CASE 2Malicious PDF documents 
 

In the course of our research, we have seen PDF documents being shared by threat actors through phishing campaigns. Attackers send documents related to information on COVID-19, and these documents are tailored to look like legitimate documents being sent from verified sources. The image below is a snapshot from one such malicious pdf documents related to testing results for COVID-19: 
 

Figure 10: Malicious document related to Covid. 

Figure 11: PDF reCAPTCHA redirecting to malicious URLs. 

The document asks victims for a reCAPTCHA verification. On clicking the checkbox, the document redirects unsuspecting users to a malicious domain. 

Figure 12: Redirected Domain 

The domain to which users are redirected was inactive at the time of our analysis. These malicious domains are used for financial motives or delivering malicious payloads to the victim’s system. The COVID-19 related document has hardcoded links to various fake documents which are part of the same malware campaign. On clicking these links, the user is redirected to other malicious domains. 

Figure 13: Links embedded in Covid related document. 

Threat actors are also using social engineering techniques and phishing campaigns to lure victims into opening these malicious documents. 

CASE 3: LNK Malware 

Recently, there has been significant growth in the number of malware attacks using shortcut files. Threat actors often use phishing emails containing a link to download malicious shortcut files or the LNK files directly embedded into them as attachments. Our research indicates that attackers have been using filenames related to COVID-19 vaccination as a cover to lure targets into opening these malicious LNK files. 

On further analysis of one such file, we observed that the LNK file contains a path to the target executable. In our sample, the attackers used a “mshta.exe” file, which is used for opening HTML applications in Windows systems. 

The “mshta.exe” is used by attackers to execute malicious “.hta”, Javascript or VBScript files directly. The mshta can execute outside the scope of Internet browsers, enabling these events to bypass browser security settings. We found some interesting strings while analyzing the LNK sample: 

Figure 14: Structure & Contents of LNK File 

The “Long filename” stores the information based on which the target executable will be used by the LNK file. A relative path for the executable is also mentioned in “Relative Path (UNICODE)”. The “Arguments” string contains the URL of the malicious file, which is executed using the “mshta.exe”. On successful execution of the LNK file, the malicious URL loads the malware into the victim’s system.  

CASE 4: Malicious Word document 

Attackers are leveraging the COVID-19 crisis to share malware-embedded documents. In one of the instances, we found a word document disguised as a COVID-19 report. Our research indicates that often these documents contain legitimate-looking information on the pandemic, while being embedded with malicious Macros that are used to deliver malware payload on the victim’s system. We analyzed a similar document, as shown below. 

Figure 15: Warning related to Macros 

The initial analysis of the document shows suspicious indicators. For instance, the document is an AutoExec”, which allows the automatic execution of macros when the document is opened. The victim has no knowledge of the macros running in the background. We also found some other suspicious behaviors, as shown below. 

Figure 16: Presence of a large number of Macros inside document 

The document also contains hex-encoded strings. On decoding and filtering one of these functions, it was found to be executing a PowerShell command, as shown below. 

Figure 17: PowerShell script downloading malware payload. 

The network details also show that the document is sending a GET request to a C&C Server for downloading the payload. 

The infection mechanism looks familiar to that of the Emotet malware, and the C&C server is also a known malicious domain related to the Emotet malware. 

CASE 5: APK Malware 

We have analyzed various APK samples related to COVID-19. Most of the samples were found to be related to Adware campaigns for monetization. Threat actors use applications based on COVID-related news to lure unsuspecting users into installing these apps.  

As shown in figure 18, the attacker designed the application in a way to request users to install other third-party applications or load ads to unlock the content of the app: 

Figure 18: APK Homepage 

On performing static analysis, we found that the main activity of the app starts with the OnCreate method. The method further calls a Web Creation functionality, which loads the WebView of the app store or ads referred from other classes, as shown in figure 19. 

Figure 19 WebView page of the apps with user intent 

Based on our research, we also found that the application has multiple encrypted strings that are decoded using the AES encryption technique using the decryptString function, as shown in the image below. These encrypted strings could be the URLs for the applications or ad files which are shown in figure 20. 

Figure 20 Encrypted strings called according to the thread. 

Figure 21 Encryption technique used within the app. 

The application is built using multiple SDKs, such as Flurry and Google Ads SDK, which are commonly used by developers for loading ads for getting monetization benefits. 

Figure 22 Ads SDK used within the app. 

This application was found to be distributed with different names around android app stores. The main goal was to achieve monetary gains by luring users into installing other applications. 

We have found multiple malware samples related to COVID-19 being distributed in the wild. In order to protect your systems against these malware attacks, please follow the recommendations we have shared below. 

Indicators of Compromise (IOCs): 

SHA-256 Hashes 
028daa77f9c1b2ee7031e78cd87dac5c5741397bc947e5481287c47a8299b119 
02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca 
071df9fbc7877ff9e1e02e52def1a476d661a26151096cf4294b583d5f4ecd57 
17a41a9ba41c62e3915433d44c543fc2358acd9e897f5d3988d198d7589202ba 
18c9eb8ca785ba35c0359b620fbf259eac534a983459c5040ee0e115a968927f 
208e89fb766998ab21cbde91b170f04f5833e9d0d69257b3654828d00dc79933 
24469a7f1f33cdecf507824a773814b5f3190c81acaf04d06c168ccbf71b2ee8 
2b15ade9de6fb993149f27c802bb5bc95ad3fc1ca5f2e86622a044cf3541a70d 
2bbcef2cf92b3592e44ed056a95dc42021e3699c56c8126144934a4b10fd2a2b 
32235954adce6d684eb30095d55e72d37ea558e5460a13f555aa3b8e65f000c8 
35988e06d5138f4cf247c13bff0f038f20c4e49cb95828cc087e2e25cf2fc65b 
3d63156060c7568b2c3065820f698fdadb6e48910ec82593a61c306c13f5692c 
3fce713782fae80c02e863d9023be941b687bb22be3960d2cd5caf10e2c904ca 
53aeae5ee4575585eb3ec40f28c35ac8af237503ccc0c4005c9d54e962295c79 
55ea0b3f16179574ec13c283681b5171a481b8e838e1033d1d7b3318690229fd 
607bf68103d9158e576beb6c3a4b287bc5f5283c5871075a532d44efa448b9a0 
67a75548a3b665ecfdae82894af9afd70eea10739504d1a88e332fa55c9dd797 
6888e5b369c22c0232c62877de2d2490e52f5683cf9f446e68b61d77ca96a7c9 
69f044d9039152f50a92b71efc83ee9e68dbee8d5d5509d3f82d7bbbbedcf186 
7add20d7f4a219b346d552673dcf7fb558acd44195cc28eb1450f497cf6da692 
7f800784b00354dd15eee129317a63bd3f7bb25622e898c873603e5b142cbb09 
84d658ad47d3c7d074189653b8322d579095e7f467314ab6386efd52b34cfb95 
87ac4dca1021ffc003e85e6d9bfc11ab6834031a1588e28b8bc7cb6e84274493 
8845fbc5ee53428df871c07814306e4216731f64b11e96890039e58942626514 
88d77d7e2a2bef73c7578d488d0fd9ae3de4de235d5383791f6593842ec32f68 
8d6b7b5ade14966bc8cfc180bf8bcffdde30a53d2e9c997cd29026942f04d3f1 
953b0f8f73ddd7ce527be413e34f111f1ccb9de0d43569c99789cebf43b50804 
96c6697299109e485bc59d2ee44bef5a1a7fbbe93c4173ad692f875e844f4985 
a6706614d0da8c58be5ac61af02a29dd4542a4fd130464ee3bec6b26be18416f 
ab141a0d2a37d415c5adcf07e6c213a9057f9b73c1de41f94b81c8de659203ed 
c8046cd64b8ac877c08a6b89177c00dff1952682d0b46d9bfa05f8a621c04fae 
cbd911e37568b3b05f2a8d0d0e1ec34df6793e993de1cf9e5dbd658425a639ab 
d0f47d778c3b74673d591395ee97f5a854ae261d0668438bc6a0af014a6e2636 
d53588c17e782ce4a4a99c075f0dfa15a70b1be74ac33cefa8f3efd2d336d17b 
d9136776aa622d131192ad6057163be608f8175fd3ceaab3b72380ef4347eeda 
dae982b9bd7cc2c607fe3eb58aee8c9f231cf42d1f44e77c9f980db6ca2be5f4 
dbd68ca42842087ca1f1ab5299b3e0d5f9b4539fe48d0a5f8d553b5f73b7c19e 
e1a5967a00ab672740cd0427e38e76bd3368a4c53bc5a79d708fd2eb680f9cfa 
e6eb8fe6c1ec21c147f11dba969b7d0f7db36743bc79778a846d7ff6acc1ba83 
eb81dabe9bfd40d53018b0df366ec3270c295df85018dd5ed9684f4952576cbf 
eea646ef34619407a09ab6249e5fe00219ff367cfd09b95e2e32c82ab2cce98b 
f17fd9ff93d1b3db6c3e4463d5ca5c11b99827890c58721d2860df75d4323705 
f3d8a424133d2017f8f76dca98e8e477925ada8ce4299d549534a9a049f75027 
f6cf82813c3619830b648d7677fd1046098453aaafc64c98c75e1f637a9e4136 
fe79ed4902c209d55bd37446fc8d4ce7b37f241e85e7d17264051a8cb300fa5e 

Recommendations: 

Organizations should implement the following practices to strengthen the security posture of their organization’s systems.   

  • Check for instances of standard executables executing with the hash of another process.   
  • Implement multi-factor authentication (MFA), especially for privileged accounts.  
  • Use separate administrative accounts on different administration workstations.   
  • Employ Local Administrator Password Solution (LAPS).   
  • Allow the least privilege to employees on data access.   
  • Use MFA to secure Remote Desktop Protocol (RDP) and ”jump boxes” for access.   
  • Secure your endpoints by deploying and maintaining endpoint defense tools.   
  • Always keep all software up to date.   
  • Keep antivirus signatures and engines up to date.   
  • Avoid adding users to the local administrator group unless required.   
  • Implement a strong password policy and enforce regular password changes.   
  • Configure a personal firewall on organization workstations to deny unwanted connection requests.  
  • Deactivate unnecessary services on organization workstations and servers. 

About Cyble:  

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  

Leave a Comment

Your email address will not be published.

%d bloggers like this: