- While coronavirus-related phishing campaigns are spiking, some attackers are getting lazy, according to analysis of ransomware sent to various global government agencies and medical organizations from Palo Alto Networks' Unit 42. The group observed ransomware variant EDA2, which is associated with HiddenTear.
- The malicious file was outdated, meaning it did not correspond with the date it references. Malware authors also neglected to "make their lures appear legitimate in any way," according to the report. None of the campaigns observed in this research were successful.
- After the remote command and control gains the target's username and hostname details, encryption begins using a "fairly simple" algorithm. Additionally, the ransomware has "a particularly substantial limitation," as it can only encrypt files on the victim's desktop.
Phishing attacks spiked 667% from February to March as bad actors took advantage of the healthcare and economic crisis. But not all cybercriminals are putting as much care into their malware campaigns.
"This campaign was not sophisticated by any means," Adrian McCabe, senior threat researcher for Unit 42, told CIO Dive in an email. The attacker attempted to "take advantage of people's curiosity toward any particular topic that is popular at a given time," as cybercriminals typically do.
Unit 42 observed another campaign, AgentTesla, sent to healthcare, pharmaceutical and government industries. AgentTesla is sold across forums for cybercriminals and is known for stealing information so its popularity swelled.
The campaign uses legitimate business domains as the email sender. The business domains belong to companies in electronic skateboard sales and garment textiles and were likely compromised by the attacker.
While the disguised email sender used realistic emails, their recipients were likely the wrong audience. Other cybercriminals pay more attention to detail. IBM X-Force found Emotet trojans distributed in Japan attached to the coronavirus outbreak. Senders disguised themselves as a disability welfare service provider.
Unit 42 couldn't attribute the campaigns for anyone in particular because EDA2 is open sourced, according to McCabe. EDA2's limitations — hardcoded to only encrypt a victim's device — is "either short-sighted, dumb or lazy. Exactly which one is anybody's guess."
As more spoofed email addresses will fill targets' inboxes, McCabe recommends using an enterprise email filtering capability "to its fullest potential."
McCabe wants companies to ask, "Would an email with 'COVID-19' in the subject and an executable as an attachment ever be something that could occur organically as part of your firm's legitimate business activities?"