Different threat actors exploiting the coronavirus crisis to send spear phishing campaigns | ThreatTraq

Don’t let coronavirus fears make you vulnerable to phishing scams. Ganesh Kasina and Andy Benavides of the AT&T Chief Security Office along with Jaime Blasco of AT&T Alien Labs discuss the week's top cybersecurity news, and share news on the current trends of malware, spam, and internet anomalies observed on the AT&T Network.

Here is the transcript: 

Ganesh: Hey, Jaime. I heard you have some interesting stories about some of the phishing campaigns using the recent coronavirus theme. Could you elaborate a little bit on that?

Jaime: Yes, that's correct. So as usual, the bad guys are trying to take advantage of any opportunity they have to trick more victims into clicking malicious links and opening malicious documents. On this occasion, we're going to talk about how cybercriminals are exploiting the coronavirus crisis. And I'm pretty sure that at this point, everybody is familiar with coronavirus, so we are not going to explain what it is, but, we're going to describe how some of these campaigns that we have found.

We have found cases where cybercriminals - financially-motivated cybercriminals, are trying to exploit this. But we found a few campaigns that belong to some of the threat actors that we track in the cyber espionage group. So that will be actors that are likely state-sponsored and are using these campaigns to gain access to local governments and other types of victims.

In most cases, these emails look like they come from government organizations such as the CDC, the Central for Disease Control and Prevention, or maybe the World Health Organization, or even say things like, "Hey, here’s the latest news about the coronavirus. Click here because there is something here that you need to know about." It’s exploiting a sense of urgency.

We have been monitoring the threat landscape since January,  actively looking for these campaigns because we know every time there is something like this, we are going to see this activity because cybercriminals typically try to exploit this type of incident.

The first one that we saw was actually a campaign in late January that was startling end users in Japan. It was Emotet malware - many of you are familiar with it. Emotet is one of the most common malware families today. They are launching spear phishing campaigns almost every day. And usually, the Emotet is the first stage and it may download other payloads such as TrickBot subsequently.

The second campaign that we saw that followed that one was a group the cybersecurity community calls Patchwork. This is a state-sponsored actor and in this particular case, was targeting Chinese users and corporations in early February.

Another interesting case that we found is a spear phishing email that we found in a public malware repository that it was looked like it was coming from the Center for Public Health of the Ministry of the Health of Ukraine and was delivered in a bait document containing, again, latest news about the coronavirus. It was started in some local government in the Ukraine. We couldn't find out which threat actor was behind this. It didn't match any of our clusters of threat activity that we have so we created a new separate cluster of activity for this actor that we will continue to monitor.

On top of this, we have been seeing many different remote access tools threats. So basically, Microsoft Office documents that either exploit in a specific CV or are using macros to deliver different RATs like Remcos, NanoCore, and Parallax. We have seen multiple campaigns. Those are usually individuals or cybercriminals that are launching one-off campaigns. Since they use these malware families that are shared in cybercrime forums and it's easy to access those malware families, so it's really hard to tell who is behind those cases.

But the more recent campaign we have been analyzing and paying attention to relates to a threat actor that Proofpoint calls TA428. This particular threat actor has been targeting government and IT organizations in East Asia for the last couple of years. We saw a campaign that used this coronavirus lure as well to trick users.

Then the last one that we found a couple of days ago was the OS-Top malware family. There was a campaign that was targeting users in Italy, which has been hit hard by coronavirus. Threat actors are trying to target users inside of those countries that have more coronavirus cases.

And lately the way we have tracked these is both with the intelligence that we have internally from AT&T Cybersecurity, and AT&T Alien Labs, and AT&T CSO, but also, we have seen multiple publications from Cisco, and other vendors that have been talking about kind of these campaigns.

And don't forget that if you want to access the Indicators of Compromise (IoC) and the threat intelligence related to these campaigns and others you can find all this information in the Open Threat Exchange. It's OTX.alienvault.com and that's where you can access all those indicators that we will continually update.

Andy: That's interesting. You guys have been really busy. Something like this usually is a little more isolated of an incident that cybercriminals tend to attack, you know, maybe this particular city has some issue going on or maybe this particular country. But in this case, in the case of coronavirus, it's a global issue, right? It's something that almost everybody is facing so the threat landscape, so to speak, the number of people who are coercible, if you want to use that word, to an email that says something about coronavirus is huge. There are so many different countries that you can get after and so many different ways to do it. You guys have been busy and I'm sure there's a lot of really good information on that Open Threat Exchange.

Ganesh: Also, what would be some recommendations for our users to protect against something like this other than regular internet hygiene? Any ideas, any suggestions?

Jaime: For users, follow your training and follow common sense, right? If you get an email from that has a call-to-action, always double-check. Check things like who is sending the email, the subject, the headers, does it have any links? Does it have any attachments? And if you have any doubts about the origin or whether or not you should click, report it to your security teams or just ignore the email. If it's something urgent, it's very likely that it will come through another source as well.

Ganesh: Interesting. Good points.

Andy: And familiarize yourself with social engineering tactics. One of the main tenets of it is urgency and playing upon fear. So that's a good point, Jaime. If the email in front of you has something urgent, to get in front of your face, that should be a red flag.

Ganesh: I think the theme is user education and getting users to pause and think about it



The AT&T Chief Security Office (CSO) establishes policy and requirements, as well as comprehensive programs, to ensure security is incorporated into every facet of AT&T's computing and networking environments. Our technical personnel work in partnership with other AT&T Business Units and Divisions to evaluate threats, determine protective measures, create response capabilities, and ensure compliance with best security practices.

Read more posts from AT&T CHIEF SECURITY OFFICE (CSO) ›



Get the latest security news in your inbox.

Subscribe via email


Watch a demo ›
Get price Free trial