Perception Point intercepts coronavirus-themed attacks on a daily basis. Attackers have already started to improve their methods and are showing greater creativity in designing the attacks. In this short blog, we present 3 examples of recent attacks:
• 2 x phishing attacks
• 1 malware attack.

We urge CISOs and security experts to read our ongoing publications to be better prepared for the upcoming attacks. It’s not a question of if, but of when, so make sure your organization is prepared to face corona-related attacks.

Phishing Campaign 1: COVID-19 as an internal HR fax.

OVERVIEW.

In this campaign, the attacker claims to be part of the Client’s HR team. The attacker asks the recipients to read a document related to COVID-19.

URL: HTtp[:]//jotformdr[.]magicicescraper[.]com
/screen_.php?_dfEERifoGfjgvSwqq__ew0dXXskdcZmaspowwq______________doffkvlgpPdkfjgggWqqwRe

Redirect URL: https[:]//sharepo[.]islanders-icket[.]
com/share/index.php?recv s_details=SFI7Q09WSU
QtMTkgSW1wLiA5NDk1My5kb2N4&xuuid=46aad8b6-8669-45ea-8f5d-f570beba3dad

From Address: Fax noreply@jotform.com

Source IP: 152.160.199.62

However, once the recipient clicks on that link, a well-designed Phishing page made to look exactly like Outlook appears. The aim of this attack is to steal the end-users’ credentials to their Outlook.

Phishing Campaign 2: Spoofed internal audio support.

OVERVIEW.

Our system identified this campaign in March 24, 2020. In this email, the attacker designed the mail to be an internal audio from support related to COVID-19. However, once the user will be fooled into clicking on the `Listen/Download` button, a phishing site shows up in attempt to steal credentials.

URL: http[:]//7k20o[.]app[.]link/
Redirect URL: https [:]//ryif43d-comedic-dingo[.]mybluemix[.]net/&ESzSrbPcGxc-!&@qlDH4uSrjOEdpmbc1T9oFMNx&!@xTy17fMi3rW8jD@&!-d9&duY5o4Tb-YuCw&&2AfEr16B0Ti48g/OIPYVwEFVFA
From Address: Fax noreply@jotform.com
Source IP: 152.160.199.62`

Malware Campaign 3: COVID-19 as a payment delay.

OVERVIEW.

In this campaign, the attacker wants to create a misrepresentation about a wire transfer that was delayed due to the COVID-19 situation. However, inside the zip file, there is actually a malicious executable file. Once the recipient clicks on it, a malicious code runs on the recipient’s host (as shown below).

File name: Invoice copy.TT.zip~.exe
SHA256: c1fb1e040e15406c3b4ad57191aa060354318b81919e2ec814a9308436641409
Source IP: 185.165.116.18`