Covid-19 has become a global pandemic and fear surrounding the virus has created a golden opportunity that cybercriminals are trying to take advantage of. By using social engineering techniques such as spam and spear phishing with Covid-19 as a lure, cybercriminals are increasing the likelihood of their attacks being a success. This white paper looks at how advanced persistent threat groups are utilising the coronavirus as a lure in their attempts to compromise enterprise security systems.
The coronavirus (COVID-19) has become a global pandemic, and this is a golden time for attackers to take advantage of our collective fear to increase the likelihood of successful attack. True to form, they’ve been doing just that: performing spam and spear phishing campaigns using coronavirus as a lure for government and non-government entities.
From late January on, several cybercriminal and state-sponsored advanced persistent threat (APT) groups have been using coronavirus-based phishing as their infection vector to gain a foothold on victim machines and launch malware attacks. Just like the spread of coronavirus itself, China was the first targeted by APT groups and as the virus spread worldwide, so did the attacks.
In the following paper, we provide an overview of APT groups that have been using coronavirus as a lure, and we analyze their infection techniques and eventual payloads. We categorize the APT groups based on four different attack vectors used in COVID-19 campaigns: Template injection, Malicious macros, RTF exploits, and malicious LNK files.
- Template injection: Template injection refers to a technique in which the actors embed a script moniker in the lure document that contains a link to a malicious Office template in the XML setting. Upon opening the document, the remote template is dropped and executed. The Kimsuky and Gamaredon APTs used this technique.
- Malicious macros: Embedding malicious macros is the most popular method used by threat groups. In this technique, a macro is embedded in the lure document that will be activated upon opening. Konni (APT37), APT36, Patchwork, Hades, TA505, TA542, Bitter, APT32 (Ocean Lotus) and Kimsuky are the actors using this technique.
- RTF exploits: RTF is a flexible text format that allows embedding any object type within and makes RTF files vulnerable to many OLEl object-related vulnerabilities. Several Chinese threat actors use RTF files, among them the Calypso group and Winnti.
- Malicious LNK files: An LNK file is a shortcut file used by Microsoft Windows and is considered as a Shell item type that can be executed. Mustang Panda is a Chinese threat actor that uses this technique to drop either a variant of the PlugX RAT or Cobalt Strike into victims’ machines. Higaisia is a North Korean threat group that also uses this method.
We expect that in the coming weeks and months, APT threat actors will continue to leverage this crisis to craft phishing campaigns using the techniques mentioned in the paper to compromise their targets.
The Malwarebytes Threat Intelligence Team is monitoring the threat landscape and paying particular attention to attacks trying to abuse the public’s fear around the COVID-19 crisis. Our Malwarebytes consumer and business customers are protected against these attacks, thanks to our multi-layered detection engines.