the new cases of COVID-19 that occur daily, cybercriminals are constantly rolling
out new tactics, techniques and procedures based on the pandemic.
One of the newer attacks, first observed on March 7, uses a Coronavirus themed email to spread RedLine Stealer malware. This is described as a particularly well designed, written and developed malware, reported Proofpoint, that is delivered through an email’s URL. Additionally, it is being distributed as a malware as a service priced at $150 lite version, $200 pro version and $100 per month subscription option.
engineering aspect of the attack is also highly developed. The subject line
asks the recipient, generally a U.S.-based healthcare or manufacturing industry,
to “Please help us with Fighting corona-virus”. They are supposedly from a
company called Mobility Research which claims it is part of the Folding@Thome project.
This name is an intentional misspelling of the legitimate Foldering@Home, a
public-resource computing firm – like the now shuttered SETI at Home project, that
might confuse people into opening the email.
is then directed to the malware bucket on Bitbucket and asked to install it, Proofpoint
RedLine Stealer steals browser information such as login, autocomplete, passwords and credit cards. It also collects information about the user and their system such as the username, their location, hardware configuration, and installed security software. A recent update to RedLine Stealer also added the ability to steal cryptocurrency cold wallets.
But this is
not the only campaign being run.
TA505, which has pushed Locky ransomware and the Dridex banking trojan, this
week started using a Coronavirus hook with their emails aimed at the downloader
campaign targeting the U.S. healthcare, manufacturing, and pharmaceuticals
doing much the same against Canadian citizens using coronavirus emails to
target Canadian users by spoofing the Public Health Agency of Canada in an
attempt to deliver the banking trojan Ursnif.