Phishing Campaign Spreads Novel Malware Using Coronavirus Research As Bait
Published: April 2, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
As is the norm during times of crisis and during natural disasters, the hackers and scammers get to work trying to take advantage the situation. The current one with the COVID-19 (aka coronavirus) outbreak is no different. In a recent finding, researchers at Proofpoint found a phishing scam developed to deliver a novel bit of malware called RedLine Stealer. It abuses a distributed computing project that is doing disease research.
The message received in the mass email campaign has the sender as “Shannon Wilson firstname.lastname@example.org” with the subject as “Please help us with fighting the corona-virus”. Supposedly, they are from a company called Mobility Research Inc. and strongly requests help from the recipients to find a cure for the virus by participating in a program called “Folding@Thome”. The extra “T” in the name is spoofing a real company called “Folding@Home.”
The legitimate Folding@Home program works in a similar way to the SETI@home program, you may have heard about. That one asks users who join it to use their computing power when they are not using it to help find extraterrestrial life forms (SETI stand for the Search for ExtraTerrestrial Intelligence). In this case however, they are looking for those willing to loan their computing power for disease research.
The fake one asks users to click a link. After that is done, users are redirected to a site on BitBucket that contains an executable containing malware. A rather realistic looking note pops up asking the users to download and install an app on the computer.
Certainly, if you go to any site that asks you to download anything to your computer, take a moment or several to think about what it is and why it needs to be on your computer. Do research before downloading anything and always run your antivirus tool on anything before installing, if it isn’t done automatically.
What’s that you say? Antivirus software? Yes, make sure that it installed and always updated on all of your devices. That includes the mobile ones. It won’t catch everything, but it will certainly catch a lot of it, so don’t go without it.
Make sure your computers and apps are always updated with the latest versions and with needed patches. And never, ever click links or attachments from unknown senders or that are not expected. If there is any doubt about anything you receive, call the sender and verify before doing anything at all.
RedLine Stealer has been seen for sale on several underground forums with several pricing options, showing again how cybercrime is being run as a business. The ads say the malware collects logins and passwords, cookies, information in those autocomplete fields (which is often payment card numbers), and any stored payment information. It also supposedly supports all versions of Chrome and all Gecko-based browsers; the most well-known and widely used being Firefox. In addition, it can do other things like:
Collect data from FTP Clients and IM clients
Search in sub-folders
Provide a list of countries it won’t work to would-be criminals
Collect information from the victim’s system such as the country, city, username, IP address, keyboard information, and operating system, among others.
This targets those in the U.S. primarily and mostly in the healthcare and manufacturing fields. People in those areas should be extra careful. Everyone should be on the lookout for phishing emails of all types using COVID-19 or the coronavirus as bait. In addition, update those computers and mobile devices, and always remember that you are the best line of defense for your organization in keeping phishing emails from doing novel damage to your network.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com