Each day, as the novel coronavirus multiplies and spreads, so do cyber scams capitalizing on users' fears and thirst for knowledge concerning this pandemic. The perpetrators, and their victims, are based all over the world, as evidenced by two recently discovered global APT-style campaigns designed to spread remote access trojans.
Fake Indian Health Advisory spreads Crimson RAT
APT36, a reputed Pakistani APT group with designs on Indian targets, has launched an email-based spear phishing campaign that delivers the Crimson RAT trojan via links to a malicious document that purports to come from the Indian government.
The document reads like a health advisory for businesses and training institutions, according to the Malwarebytes research team in a blog post that cites previous reporting from the Red Drip team. It reminds recipients that trainers and workers coming in from foreign countries could spread the virus further, and recommending these organizations institute preventive measures and provide directions to nearby medical establishments.
Opening the document and enabling the hidden macros begins the infection chain that drops the RAT, which can steal browser-based credentials, gather victim machine information, capture screenshots, leverage TCP protocol for C2 communications and more. The malware drops either a 32-bit or 64-bit zip format version of the final payload, depending on the victim's OS type.
In previous campaigns, APT36 -- which also goes by Mythic Leopard and other aliases -- was able to "compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters," Malwarebytes reports. "They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details."
'Vicious Panda' campaign delivers RAT via phony Mongolian government announcement
Suspected Chinese actors have been targeting the Mongolian public sector with a newly discovered malware implant, spread via several malicious documents, including one that looks like a fake coronavirus press release sent by the Mongolian Ministry of Foreign Affairs.
The RFT document, written in Mongolian, purports to contain global casualty statistics coming from China's State Council Media Service and National Health Committee of China, according to a blog post from researchers and Check Point Software Technologies. But in reality, it contains an embedded object that exploits vulnerability in Microsoft Word's Equation Editor.
Opening the document triggers an infection chain involving a series of DLL files, the last one being a RAT module that is loaded into memory and is capable of screenshots; listing, creating and deleting directories; moving, deleting and downloading files; executing processes and more.
The campaign, dubbed Vicious Panda, has also been sending a second RTF document that does not invoke COVID-19, but rather pretends to be a proposal from the Overseas Ministry of Foreign Affairs that pertains to purchasing buildings and amending a certain "State Ceremonial Procedure."
"A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016," the Check Point report states. "Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus."