With the rapid spread of Coronavirus (COVID-19) worldwide, the trend of cyber attacks under the name “Coronavirus” has intensified. 360 Security Center detected multiple similar cyber attacks during this time, the attackers mostly sent phishing emails to the victims in disguise as “WHO”.
As of March 4, 2020, the number of confirmed cases in Italy reached 2036. With the intensification of the epidemic in the region, we have detected phishing email attacks against the Italian Internet, multimedia and other industries. Here, we speculate that in the future, there will be more and more cyber-attack activities using Coronavirus as a hotspot, and the area where the epidemic is intensified may also be the main attack area for such activities.
Technical Analysis
The email we intercepted was titled “Coronavirus Informazioni importanti su precauzioni” and disguised the sender as a researcher from the World Health Organization in Italy.
The message and its translation are as follows:
The malicious document carried in the attachment contains the following code, which will release a javascript script to execute:
Jse scripts are obfuscated Ostap malware that collects system information and downloads and executes other payloads.
Similar attack case study
In the past month, we have detected a number of phishing email attacks similar to the use of Coronavirus as the title, such as forging the identity of the World Health Organization to attack a shipping company in Singapore with “CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm” the company:
Forgery of the World Health Organization’s identity Attack on the Ukrainian region under the title “Коронавірусна інфекція COVID-19.doc”:
Similar attack methods, but belong to different hacking teams, distributed in different victim areas. Of course, we don’t think the epidemic is the cause of such attacks, but the attackers know how to take advantage of the situation. They are good at using these hotspots to launch attacks. Any topic that may be of interest to the victim may become an attacker Entry point.
At this point, 360 Security Center recommends that users should be alert to such emails that use various hot topics such as the “epidemic” as the subject, and send such emails to professionals for analysis to ensure their security and to prevent such attacks to a limited extent.
Reference:
[1] https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/
[2] https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/
[3]https://www.who.int/docs/default-source/coronaviruse/situation-reports/20200303-sitrep-43-covid-19.pdf?sfvrsn=2c21c09c_2
Learn more about 360 Total Security