Written by Sherrod DeGrippo, Sr. Director of Threat Research and Detection, Proofpoint
Proofpoint researchers have been observing an increased activity around the global Coronavirus outbreak for malicious activity, which has reached hundreds of thousands of messages. The most notable developments are attacks that leverage conspiracy theory-based fears around purported unreleased cures for Coronavirus and campaigns that abuse perceived legitimate sources of health information to manipulate users.
In this latest round of campaigns, attackers have expanded the malware used in their Coronavirus attacks to include not just Emotet and the AZORult information stealer, but also the AgentTesla Keylogger and the NanoCore RAT — all of which can steal personal information, including financial information. Attackers have also expanded their attacks to include credential theft. Our researchers have seen fake Office 365, Adobe, and DocuSign sites meant to steal credentials linked to Coronavirus-themed emails.
Previously, Coronavirus-themed attacks centered on concerns around economic disruptions in light of the outbreak, specifically around shipping. This trend is continuing and has expanded to include manufacturing as well.
Consistent with this level of tailoring and focus on economic concerns, we are also seeing dedicated attacks against construction, education, energy, healthcare, industry, manufacturing, retail, and transportation companies.
- Email lure that stokes conspiracy theory fears that there is a cure for Coronavirus that isn’t being shared. It then urges the recipient to receive further information on the “cure” by clicking on the link provided in the email. If the recipient clicks on the link, they are taken to a fake DocuSign website where they’re told they need to enter credentials to get the information.
- A coronavirus-themed email that is designed to look like an internal email from the company’s president to all employees. The messages contain a Microsoft Word attachment with an embedded URL that leads to a fake Microsoft Office website to enter credentials. Once the credentials are entered, the user is then redirected to the legitimate World Health Organization Coronavirus information site, making the phishing transaction seem legitimate.
- Attackers abusing the World Health Organization (WHO) name to distribute an attachment that will install the AgentTesla Keylogger. Once installed, this malware will record all keystrokes and send it to the attackers, a tactic that can give access to online banking and financial accounts.
- Emails with “Coronavirus Update: China Operations” including an attachment titled “Factory Contacts and Office Resumption”, clearly meant to appeal to concerns around possible shutdowns in manufacturing in China due to the Coronavirus outbreak, have been targeting manufacturing, retail, and transportation companies primarily – all companies that have reasonable concerns around manufacturing disruptions in China. The attachment tries to install NanoCore RAT, a remote access Trojan that can give the attacker full control over the compromised system.
Overall, these latest examples serve as a reminder that users should be watchful and exercise caution where Coronavirus-themed emails and websites are concerned.