Coronavirus outbreak used by hackers to spread malware

Posted on: Monday, February 17, 2020 By: KorchekStaff

One sophisticated attack method takes advantage of the trusted World Health Organization name to distribute an attachment that will install the AgentTesla Keylogger.

Malicious actors are using the outbreak of the Wuhan novel coronavirus, or 2019-nCoV, as an opportunity to launch emailed-based cyber attacks, according to security specialist Proofpoint.

WHY IT MATTERS
The company uncovered a continuing expansion of cyber attacks themed around the Coronavirus, including a new campaign promoting conspiracy theory-based fears around "unreleased cures," and dupes multiple users into accepting malware by abusing perceived legitimate sources of health information.

While the attacks initially targeted people in the United States and Japan, Proofpoint noted recent examples are targeted at Australia and Italy, where Italian-language lures are being used.

A company blog post by Sherrod DeGrippo, Proofpoint's senior director of threat research and detection, noted attackers have expanded the malware used in their Coronavirus attacks to include not just Emotet and the AZORult information stealer, but also the AgentTesla Keylogger and the NanoCore RAT, all of which can steal personal information, including financial information.

In one campaign example, recipients of an email designed to stoke fears of an available cure that is being withheld – a conspiracy theory – urges the recipient to receive further information on the "cure" by clicking on the link provided in the email.

The link leads users to a fake DocuSign page where they're encouraged to share personal credentials to receive the bogus information – the sophisticated attack method is also being deployed under the guise of company email blasts to bolster the message's credibility.

One sophisticated attack method also contains a Microsoft Word attachment with an embedded URL that leads to a fake Microsoft Office website, while a third takes advantage of the trusted World Health Organization name to distribute an attachment that will install the AgentTesla Keylogger.

THE LARGER TREND
As the coronavirus continues to spread, healthcare technology vendors such as Epic, athenahealth and intersystems are rolling out software updates to help providers better detect and monitor potential cases.

While the U.S. Centers for Disease Control and Prevention says health risk of coronavirus for the general American public is low at this time, HIMSS is continuing to closely monitor the situation and will be offering regular updates to those attending the 2020 HIMSS Global Health Conference, which is set for March 9-13 at the Orange County Convention Center in Orlando, Florida.

ON THE RECORD
"Once installed, this malware will record all keystrokes and send it to the attackers, a tactic that can give access to online banking and financial accounts," DeGrippo said.

She also noted attackers are leveraging the economic implications of the virus to target a greater number of industries, such as manufacturing, retail, and transportation.

"These emails are also pushing a wider variety of malware than before. All the evidence suggests that cybercriminals are finding success with this particular theme," DeGrippo noted. "Overall, these latest examples serve as a reminder that users should be watchful and exercise caution where Coronavirus-themed emails and websites are concerned."

Comments