A Canadian government healthcare organization and a university medical research group are being targeted with COVID-19 phishing attacks with the emails being loaded with malware
Palto Alto Networks Unit 42 found EDA2 ransomware and the AgentTesla information stealer were used against both Canadian entities with AgentTesla alone also being launched against similar targets in the U.S., Turkey, Germany, Japan and Korea.
Unit 42 reported the attacks were successfully fended off.
“It is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis,” Unit 42 said.
The emails were sent between March 24-26 and all had a faux World Health Organization email address, [email protected][.]int and the subject line “COVID-19 supplier notice”. The email itself contained a malicious Word document hosting the ransomware payload. The ransomware in question takes advantage of the quite old Microsoft component vulnerability, CVE-2012-0158, and will only be effective on computers that have not been patched.
The threat actors also did nothing to hide the fact that the Word document was fake as it contained nothing but a massive alphanumeric string.
Once downloaded the command and control server is contancted and an Adobe Acrobat icon appears on the device as a bit of subterfuge and an image containing the ransom note appears. It demands 0.35 bitcoin and an ID number.
The research also uncovered the fact that the criminals behind this activity apparently took over and are using the legitimate website and email domains liquidroam[.]com, and the C2 domain, lookmegarment[.]com. The site’s Goolge description says it sells electric skateboards, but the website itself is not functioning.