Our recent blogs have detailed the issue of attackers leveraging the COVID-19 pandemic to execute cyberattacks. In this blog we provide more similar examples, focusing on COVID-19 malware attacks and phishing attempts. Caught by our advanced threat protection and analyzed by our Incident Response team, we hope this post will help you and your organization better prepare for these types of COVID-19 attacks.

Phishing Campaign 1: COVID-19 as an internal HR fax.

OVERVIEW.

In this campaign, the attacker claims to be part of the Client’s HR team. The attacker asks the recipients to read a document related to COVID-19.

URL: HTtp[:]//jotformdr[.]magicicescraper[.]com
/screen_.php?_dfEERifoGfjgvSwqq__ew0dXXskdcZmaspowwq______________doffkvlgpPdkfjgggWqqwRe

Redirect URL: https[:]//sharepo[.]islanders-icket[.]
com/share/index.php?recv s_details=SFI7Q09WSU
QtMTkgSW1wLiA5NDk1My5kb2N4&xuuid=46aad8b6-8669-45ea-8f5d-f570beba3dad

From Address: Fax noreply@jotform.com

Source IP: 152.160.199.62

However, once the recipient clicks on the link, a well-designed phishing page made to look exactly like Outlook appears. The aim of this attack is to steal the end-user’s credentials and gain access to their Outlook account.

Phishing Campaign 2: Spoofed internal audio support.

OVERVIEW.

Our system identified this campaign in March 24, 2020. In this email, the attacker designed the mail to be an internal audio from support related to COVID-19. However, once the user clicks on the `Listen/Download` button, a phishing site shows up in attempt to steal credentials.

URL: http[:]//7k20o[.]app[.]link/
Redirect URL: https [:]//ryif43d-comedic-dingo[.]mybluemix[.]net/&ESzSrbPcGxc-!&@qlDH4uSrjOEdpmbc1T9oFMNx&!@xTy17fMi3rW8jD@&!-d9&duY5o4Tb-YuCw&&2AfEr16B0Ti48g/OIPYVwEFVFA
From Address: Fax noreply@jotform.com
Source IP: 152.160.199.62`

Malware Campaign 3: COVID-19 as a payment delay.

OVERVIEW.

In this last campaign, the attacker tries to misrepresent a wire transfer that was delayed due to the COVID-19 situation. However, inside the zip file, there is actually a malicious executable file. Once the recipient clicks on it, a malicious code runs on the recipient’s host (as shown below).

File name: Invoice copy.TT.zip~.exe
SHA256: c1fb1e040e15406c3b4ad57191aa060354318b81919e2ec814a9308436641409
Source IP: 185.165.116.18`

 

For more examples of pandemic-related cyberattacks like these, check our previous blogs:

COVID-19 Phishing Campaigns Alert

COVID-19 Cyber Campaign: Domain Spoofing