Looking to capitalize on the current coronavirus scare, malware distributors have launched a new phishing campaign that targets global companies with emails that suggest that virus could disrupt shipping operations.
According to a Feb. 10 research blog post authored by Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, the malicious actors have been sending the phishing emails to businesses whose supply chain operations and revenues could potentially be negatively impacted by the outbreak, which has reportedly killed more than 1,000 people and infected tens of thousands more. Such businesses manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic companies.
“Hi, I thought that this brief note in doc format on the Coronavirus and its impact on the Shipping industry could be of interest for you,” reads one recent sample phishing email, which included the subject line lure: “Coronavirus – Brief note for the shipping industry.”
The perpetrators, who are likely from Russia and Eastern Europe, have been spiking these emails with attached malicious Microsoft Word documents that install the information stealer AZORult via an exploit for CVE-2017-11882, a remote code execution flaw in Microsoft Equation Editor. AZORult has been used in the past to download ransomware as a secondary infection, although so far this campaign has not exhibited this behavior, DeGrippo reports.
“The malware actors doing this… clearly understand the economic concerns surrounding the coronavirus,” the blog post states. “This awareness demonstrates not just technical sophistication, but economic sophistication as well.”
In late January, multiple research teams including those from Proofpoint and IBM X-Force Threat Intelligence similarly reported that an Emotet malware campaign was attempting to infect Japanese language-speakers by sending phishing emails that purportedly contained health information emails on the coronavirus.
In an in-person interview today, DeGrippo told SC Media that Proofpoint is now seeing a new coronavirus email phishing campaign “every couple of days,” and predicted that more will come.
So far, the campaigns have tended to use a mix of lures, some of which are coronavirus-themed, while others are more conventionally designed to look like fake invoices, shipping receipts and résumés. Some have exclusively targeted health care professionals, while others have targeted shipping companies and operators of large freighter fleets, she continued.
“What’s helping [the cybercriminals] is that a lot of HR departments are sending out coronavirus updates for their workforce,” instructing employees to stay home if they are sick, for example. So the phishing emails are “mixing in with the legit HR coronavirus warnings and that makes it harder to tell [the difference] and I think that that’s part of what the threat actor motivation is: ‘Well, we knowyou’re getting a legit one, so we’re gonna send one with malware too.”