Coronavirus Outbreak Scam, Malware, Phishing Vulnerabilities

Summary

Threat actors continue their quest to use the coronavirus to spread malicious software, phishing, and other dangerous informational rumors. During the past week, Proofpoint researchers have observed several groups mounting campaigns contributing to the largest collection of attack types using the same topic as a lure, seen in many years.

Credit:

The information has been provided by Dave Bales

The original article can be found at: https://exchange.xforce.ibmcloud.com/collection/Threat-Actors-Launch-New-Coronavirus-Campaigns-78bdf5e991c84ec286f39efc5d007241


Details
Overview
Since the outbreak of the coronavirus (COVID-19), multiple threat actors have been hard at work using the crisis to further their goals of infecting as many computers as possible. One group, TA505, has been using the coronavirus as part of a downloader campaign targeting the U.S. healthcare system, manufacturing, and pharmaceutical industries. A separate campaign uses a downloader with the target being the healthcare industry to demand Bitcoin payments. The downloader is often employed to deliver ransomware in a later stage. Proofpoint researchers also noted TA564 has been actively targeting Canadian users by posing as the Public Health Agency of Canada to deliver the Ursnif malware. TA505 has used emails that contain a malicious link that claims to provide information on the latest developments and news surrounding the virus. The group’s downloader is capable of installing additional malware such as banking trojans and ransomware. Since the group is a well-known financially motivated group, the act of demanding ransom comes with a little shock. An additional campaign delivers a ransom email with a downloader file that offers coronavirus remedies in exchange for Bitcoin. TA564 is using Ursnif, a common banking trojan, to steal stored data which could include passwords for banking websites. Employing web injectors, proxies, and VNC connections are the main source of infiltration and extraction of the desired information. With more companies moving to a work from home posture, the expectation exists these types of campaigns will continue to rise.
Recommendations
  • Employ company approved VPNs.
  • Use strong passwords.
  • Use only a secure Wi-Fi connection and avoid using publicly accessible connections.
  • Do not click or open links in emails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.
  • Ensure anti-virus software and associated files are up to date.
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
  • Keep applications and operating systems running at the current released patch level.