PaloAlto Networks experts warn of malicious Coronavirus themed phishing campaigns targeting government and medical organizations.

Experts from Paloalto Unit 42 published a report that analyzes the cross-section between the various types of COVID-19 themed attacks aimed at organizations in different industries. An infostealer variant (AgentTesla) observed in attacks against various other targets (e.g, a United States defense research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, a research institute located in Japan and research facilities in Canada).

Recently organizations in healthcare, research, and government facilities have been hit by Coronavirus-themed attacks that deployed multiple malware families, including ransomware and information stealers (i.e. AgentTesla).

PaloAlto researchers cited ransomware attacks against a Canadian government healthcare organization and a Canadian medical research university, both attempting to exploit the ongoing pandemic.

An infostealer variant (AgentTesla) observed in attacks against various other targets (e.g, a United States defense research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, a research institute located in Japan and research facilities in Canada)

The attacks against the Canadian healthcare organizations were discovered between March 24 and March 26, they started with coronavirus-themed phishing campaigns that were carried out in the last months.

Healthcare Facility

Attackers used a spoofed address mimicking the World Health Organization (noreply@who[.]int) to send out the phishing messages, the emails were sent to a number of individuals working at healthcare organization actively involved in Coronavirus response efforts.

“Between March 24, 2020 at 18:25 UTC and March 26 at 11:54 UTC, Unit 42 observed several malicious emails sent from the spoofed address noreply@who[.]int (actual sender IP address at the time of the attack was 176.223.133[.]91) to several individuals associated with a Canadian government health organization actively engaged in COVID-19 response efforts, and a Canadian university conducting COVID-19 research.” reads the analysis published by PaloAlto Networks. “The emails all contained a malicious Rich Text Format (RTF) phishing lure with the file name 20200323-sitrep-63-covid-19.doc, which, when opened with a vulnerable application, attempted to deliver a ransomware payload using a known shared Microsoft component vulnerability, CVE-2012-0158.”

The messages use a weaponized rich text format (RTF) attachment that exploits the CVE-2012-0158 buffer overflow in Microsoft’s ListView / TreeView ActiveX controls in MSCOMCTL.OCX library.

Experts noticed that the name of the file employed in this campaign references the date March 23, 2020, and it was not updated over the course of the campaign.

Once executed, the ransomware binary contacts the C2 server to download an image that serves as the main ransomware infection notification displayed the victim’s device, then it gathers the host details and transmits it to the C2 to create a custom key to encrypt the files on the system’s desktop with a “.locked20” extension.

“Once the remote command and control (C2) server successfully receives the victim’s details, it then proceeds to create a custom key based on the username/hostname details and sends the key back to the infected host for further processing.” continues the analysis. “Once the key is received from the C2 server, the infected host then initiates an HTTP POST request to the resource www.tempinfo.96[.]lt/wras/savekey.php containing its hostname and the main decryption key for the host, which is, in itself, AES encrypted:”

Palo Alto Networks researchers determine that ransomware strain was EDA2 based, open-source ransomware that was initially created for educational purposes.

“The objective of this blog was to give a deeper understanding on some of the types of cybercrime campaigns being faced by multiple critical industries dealing with the urgent and critical response efforts of the COVID-19 pandemic. It is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.” concludes the report.

“While this blog specifically focused on two campaigns, Unit 42 is tracking multiple campaigns with COVID-19 themes being used by threat actors on a daily basis and this trend is likely going to continue for weeks to come.”

Pierluigi Paganini