Threats & Research Coronavirus email attacks evolving as outbreak spreads
New research from F-Secure’s Tactical Defence Unit sheds light on how coronavirus email attacks have spread west along with the virus.
Cyber criminals and other threat actors often try to capitalise on the latest news. It helps them trick unsuspecting users into engaging with them by, for example, clicking on a malicious link in an email. Or opening a malicious attachment.
While people across the globe are beginning to restrict their movements in hope of curbing the spread of the coronavirus, spammers and phishers are out in full force. They want to take advantage of the online demand for information about the pandemic.
F-Secure has observed more and more coronavirus-themed attacks appearing in the wild. Here are some details on what attackers are doing, what to watch out for, and how people can stay secure if they’re planning on riding out the crisis by working remotely.
F-Secure’s Tactical Defence Unit has tracked coronavirus-themed campaigns since January. Attackers’ campaigns have largely spread to new regions in tandem with the virus. Karmina Aquino, Service Lead in the unit, noticed that the emails followed news and advisories and gathered correlations between those. The earliest observed campaigns targeted clients in Japan. But attacks have continued to move West. The examples in the timeline below show how the contents of the spam messages mirrored real developments with the virus (sometimes within 24 hours of those developments appearing in the news).
“While using current themes is nothing new for opportunistic threat actors, what’s interesting to note here is that one malware spam after another has started to use the coronavirus topic in their distribution emails,” says F-Secure Researcher Maria Patricia Revilla Dacuno. “Even more interesting is the usage of news information or public advisories as the basis for the email topics. This helps give validity to the email itself.”
Malware that’s been employed in these campaigns include:
- Emotet and Trickbot – modular threats that deliver different payloads to different targets. Emotet was originally a banking trojan that was updated/upgraded to include new capabilities, such as infostealing and malware delivery. It is known to deliver Trickbot, which then delivers Ryuk ransomware.
- Agent Tesla – an infostealer that has keylogging capabilities for stealing email credentials and passwords from browsers.
- Formbook – an infostealer that collects victim’s sensitive information, such as passwords/credentials from browsers.
- Lokibot – an infostealer that collects email credentials and passwords from browsers, FTP clients and CryptoCoin wallets.
- Remcos RAT – a remote access tool used by cyber criminals that allows attacker to control a victim’s system remotely, and execute commands.
Along with malware-laden spam emails, F-Secure has observed a significant amount of spam that capitalise on the widespread mask shortage. According to Patricia, these emails are common scams. They entice the recipients to pay, but the criminals send them nothing.
“It’s seems straightforward, but this is a good example of social engineering. People are already pressuring themselves to take precautions about the virus, and these advertisements try to attract them, make them feel like a solution is just a click away,” explains Patricia.
Staying secure goes beyond avoiding spam
The news isn’t all bad, at least when it comes to cyber security. Spam emails are nothing new for defenders. No new kill-chain methods or malware types have been observed. References to the coronavirus are intended to generate a higher click rate for pre-existing threat actor campaigns. So as long as users keep calm and exercise caution before they click, spam is a manageable problem.
Many businesses are responding to the crisis by either requesting or mandating employees to work remotely. For some companies and employees, this is unfamiliar territory, which could have security repercussions.
Businesses should ensure that secure remote access technologies, such as VPN, are in place and configured properly, including use of multi-factor authentication, so that employees can conduct business just as securely in an office area. It’s also important that companies instruct workers to avoid using unauthorized personal devices for work, as these devices are rarely monitored for incursions.