COVID-19 phishing scams have been reportedly going out to consumers, trying to get them to buy face masks, protective gear, phony medical cures as well as give up bank or government login credentials to get government-backed coronavirus financial aid.

But governments and health-related institutions also have to be on the lookout for scams, Palo Alto Networks warned today.

In a blog published this morning researchers said they discovered two COVID-19 themed campaigns:

  • One was an email with a ransomware sting aimed at an unnamed Canadian government health organization and a university here conducting COVID-19 research
  • The other was an email with an information stealer sent to a United States defence research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, and medical organizations/medical research facilities located in Japan and Canada.
This ransomware notice would appear if a victim clicked on an attachment

Governments and health care institutions “need to be extra suspicious” right now of COVID-19-related scams, said Jen Miller-Osborn, deputy director at Palo Alto Networks’ Unit 42 threat intelligence unit.

“It’s particularly egregious,” she said, to try and take advantage of people during a health crisis, adding that’s a typical strategy for criminals during a newsworthy event. “They’re exploiting all this fear. We’re definitely seeing an uptick in malicious activity.”

Criminals are using COVID to get victims to click on a link. Miller-Osborn said technically these are the same attack strategies as before the pandemic;  just the subject line and wording of the email messages have changed.

On March 20th the federal government’s Canadian Centre for Cyber Security warned that threat actors may try to steal intellectual property from medical researchers or extract money from ransomware.

The ransomware attack detected by Palo Alto Networks came from a spoofed World Health Organization email address (noreply@who[.]int) “to add that air of legitimacy,” she said.

Although aimed at particular organizations, a clear sign the email is to be leery of is highlighted by a generic “Dear Sir” type of greeting.

The infected attachment has the file name 20200323-sitrep-63-covid-19.doc. If clicked on a page opens up with a scrambled text, a second indicator that it’s malicious. Of course, by this time it’s too late to stop the ransomware — which researchers identified as variants of open source code called EDA2 or Hidden Tear — from executing. A victim might, however, have time to notify infosec pros to check the spread to other machines.

The fact that the document is scrambled text suggests the creators don’t care about being sophisticated, or, as Miller-Osborn said, “these actors aren’t particularly skilled or technical.”

The second campaign is aimed at getting victims into downloading what has been called the Agent Tesla information-stealing malware, which has been around since 2014, to lead to further attacks.

A typical email has the subject line “COVID-19 Supplier Notice” and is from a spoofed legitimate company email. It is addressed to “Dear Valued Supplier, and in at least one case is from a senior buyer of a firm in Oman. The message simply says “Please find the attached second notification.” That’s a trick that will hopefully fool an employee worried that they missed the first notification.

The attached file is named COVID-19 Supplier Notice.zip.

Because this campaign uses compromised domains of real companies — firms selling electric skateboards and garment textiles — for sending mail and communicating with command and control servers, it’s a reminder to IT pros that using two-factor authentication and watching web site code will help limit the chances their infrastructure will be used to help attackers.