Much like the new cases of COVID-19 that occur daily, cybercriminals are constantly rolling out new tactics, techniques and procedures based on the pandemic.
One of the newer attacks, first observed on March 7, uses a Coronavirus themed email to spread RedLine Stealer malware. This is described as a particularly well designed, written and developed malware, reported Proofpoint, that is delivered through an email’s URL. Additionally, it is being distributed as a malware as a service priced at $150 lite version, $200 pro version and $100 per month subscription option.
The social engineering aspect of the attack is also highly developed. The subject line asks the recipient, generally a U.S.-based healthcare or manufacturing industry, to “Please help us with Fighting corona-virus”. They are supposedly from a company called Mobility Research which claims it is part of the Folding@Thome project. This name is an intentional misspelling of the legitimate Foldering@Home, a public-resource computing firm – like the now shuttered SETI at Home project, that might confuse people into opening the email.
The victim is then directed to the malware bucket on Bitbucket and asked to install it, Proofpoint said.
RedLine Stealer steals browser information such as login, autocomplete, passwords and credit cards. It also collects information about the user and their system such as the username, their location, hardware configuration, and installed security software. A recent update to RedLine Stealer also added the ability to steal cryptocurrency cold wallets.
But this is not the only campaign being run.
The gang TA505, which has pushed Locky ransomware and the Dridex banking trojan, this week started using a Coronavirus hook with their emails aimed at the downloader campaign targeting the U.S. healthcare, manufacturing, and pharmaceuticals industries.
TA564 is doing much the same against Canadian citizens using coronavirus emails to target Canadian users by spoofing the Public Health Agency of Canada in an attempt to deliver the banking trojan Ursnif.