Malspam in the Time of COVID-19

As the new coronavirus, COVID-19, spreads around the planet, many people are filled with emotions like fear, uncertainty and hope — which are the top ingredients for an effective spam campaign. Cyber criminals are now taking full advantage of these emotions when disseminating malicious email spam (malspam) across the globe.

 

The CrowdStrike® data science team is closely tracking COVID-19-related malspam, and in this blog, we present some of the malspam types we’ve observed in order to illustrate the social engineering tricks being used and the types of malware delivered. This is by no means a complete list of attacks that we’ve noticed, only a few that you might find interesting.

 

Example 1: The Doctor, the Cure and the HawkEye

Not all phishing emails are professional-looking or error-free, as the first example illustrates; however, the simplicity of the message and the sophisticated payload delivery mechanism can be very effective.
image of fake email Simple message claiming to have information about treatment for coronavirus; notice the typo in the country name
The document attached is a RTF file that contains an OLE document with a malicious macro embedded. This macro will download and execute the next-stage payload, which is an AutoIT-compiled executable. Although it can be decompiled, the resulting source file is heavily obfuscated. RTF file with malicious code The second stage executes RegSvcs.exe and injects a version of HawkEye, a powerful trojan with features such as keystroke logging and password stealing. This executable is obfuscated with Confuser: screenshot of Confuser code

Example 2: Government Impersonation and Greater Sophistication

In the next example, the Spanish text urges the reader to download a document that supposedly contains the neighborhood areas where COVID-19 has been detected. The sender is masqueraded as the Ministry of Health from Colombia. This phishing e-mail has a non-malicious PDF document attached, which simply contains the logo of the organization used as a lure and a link to an archive with the password in the message. This multi-step phishing strategy incentivises the user to manually download and execute the payload and diminishes the chances of the message being blocked by spam filters by avoiding using weaponized documents as an attachment.
screenshot of phishing email The phishing e-mail message content
screenshot of pdf file The content of the attached PDF
The archive contains a .NET obfuscated executable, which is a dropper for the payload.
screenshot of obfuscation code Meaningless code is used to obfuscate the application flow
The payload is a commodity remote access tool (RAT) named Warzone. This malware. has the ability to bypass UAC controls using two different methods, one for Windows 10 (sdclt.exe UAC bypass) and one for earlier versions of Windows (IFileOperation COM object UAC bypass). It also has remote execution capabilities, a keylogger, a camera recorder, and can be used to steal the credentials from Google Chrome, Firefox, Thunderbird and Microsoft Outlook.
screenshot of strings from payload Strings from the actual payload showing the credential-stealing ability

Example 2, Take 2: Same RAT, Different Spoofed Institution

Another COVID-19 spam campaign that CrowdStrike observed delivering

 

the Warzone RAT used the Centers for Disease Control and Prevention (CDC), a U.S. government agency as bait.
screenshot of phishing message Phishing message targeting U.S. citizens and delivering the Warzone RAT
This malspam used

 

a weaponized RTF document that exploits the CVE-2017-11882 vulnerability, to

 

download and execute Warzone.

Example 3: The Mysterious Case of the Screensaver

 

This third malspam example uses a different technique to increase the victim’s confidence that this email is legitimate. The message was written to target a specific individual. Addressing the message to a specific group of people might make the victim believe the message was written in a hurry but was intended to be sent to them, since it has a personal approach. The email was sent to the public mailbox of the victim’s infrastructure. The attachment comes as an ISO image file, which is different from the expected format of a PDF, TXT or Microsoft Office document.
screenshot of message Targeted message
First, we notice some typos:
screenshot of message header The header of the message
screenshot of message body The message body
screenshot of signature block The signature block
The file name referenced in the opening of the message matches the name of the attachment, “CDCHAN-00815,” giving the victim some level of confidence regarding the legitimacy of the file. One thing to note is that there are no instructions related to the attachment, only the suggestion to download it. Nothing malicious happens by downloading and opening the file, because it opens within an archive application that does not result in an immediate execution of the file. The ISO attachment file contains a self-extracting RAR executable with a .scr file extension.. The name of the file and the date match the email’s message. screenshot of attachment file Content of the ISO attachment fileExtracting the contents of the RAR file, we find an executable file named Aosnqcl.exe (hash: and a hidden file named Aosn.
screenshot of screensaver file Content of the screensaver file
The executable reads the hidden file, which appears to contain values in a format similar to Base64. After some research, we discovered that the hidden file is indeed a plain-text representation of a Portable Executable (PE) file, and its content has been obfuscated via Base64 (RADIX) and written in reverse.
screenshot of hidden Aosn file Content of the hidden file Aosn
screenshot of deobfuscated Aosn file Deobfuscated content of the hidden file Aosn
That’s the dropper, and here are the files that it drops: It then takes the following actions: ► Appends the following syntax to Yako.bat: screenshot of code ► Drops another batch file named Natso.bat into C:\Users\Public\, which removes the original windir environment variable and comments the rest of the line out. This batch script is used to perform UAC bypass on Windows 10.
screenshot of bypass code UAC bypass on Windows 10
► Drops a SSPICLI.dll file into C:\Users\Public folder, having Yako.bat's path hardcoded, exporting the function named GetUserNameExW. It even has a malformed security certificate created on February 9, 2020 (spoiler alert: DLL hijacking). ► Drops the legitimate perfmon.exe into C:\Users\Public\. Drops a new batch file named Runex.bat into C:\Users\Public, containing the following snippet: screenshot of Runex.bat fle The dropped files are: screenshot of dropper file ► Creates a fake C:\Windows \System32 folder, where it copies perfmon.exe and SSPICLI.dll.

 

Most people won't notice fast enough that there are two Windows folders in
C:\ — one being "Windows" and the other being "Windows " (with a space). screenshot of fake Windows folder On Windows 10, perfmon.exe is trying to execute normally, loading the malicious SSPICLI.dll rather than the legitimate sspicli.dll from the C:\Windows\System32 directory. It creates a copy of Aosncql.exe and the hidden file named Aosn under the C:\Users\Public\Aosn directory, and it renames the file, from Aosncql.exe to Aosnnem.exe. screenshot of Aosn file renamed After successfully performing the DLL hijacking, a new instance of ieinstal.exe will spawn and detach from its parent process, and in the mean time managing to install Remcos RAT into the victim’s computer. screenshot of Aosn file ► Drops Aosn.hta script into C:\Users\Public\ to achieve persistence: screenshot of Aosn script

Example 4 : A Professional Approach Does the Trick

This next type of attack targets a specific person. The key point here is the fact that the mail has an attachment, but the sender doesn’t refer to it in the message by including instructions or next steps for working with the file. This tactic relies on the curiosity of the victim for its success. screenshot of spear-phishing email If the attachment file is opened with Microsoft Excel and the embedded macro is executed, it will serve as a downloader for the actual malware by contacting http<:>//profectusleadership<.>com/social.php.
screenshot of excel file The opened file
The downloaded file is an installer deceiving the user into displaying the installation window followed by a privilege-related error, when in fact the files are dropped under a randomly named folder within %Appdata%\Roaming\. What the victim doesn’t see is that in the background, there is another process, named signed_gate6.exe, executing an obfuscated PowerShell script dropped into %Appdata%\Local\Temp, and then removing it immediately after execution.
screenshot of process in background The process in the background
That PowerShell script is responsible for dropping the files into %Appdata%\Roaming\<randomly_named_folder>\. The dropped files are: screenshot of PowerShell script Here, directX.DLL is an empty file because the PowerShell script tries to download that file from a different location.
screenshot of PowerShell script content PowerShell script content
Also, the following file is made persistent across reboots: screenshot of reboots The dropped file fonthost.exe is actually the client for NetSupport Manager.,NetSupport Manager is a commercial remote administrator tool that has been repurposed for malicious use.

 

The client is accompanied by a configuration file (
client32.ini) which directs the client to establish a connection between the victim’s machine and bacninhcomputer<.>com, after trying to get the current geolocation of the victim’s machine via contacting geo.netsupportsoftware<.>com/location/loca.asp. Various operations can be performed on the individual’s machine by the attacker taking advantage of NetSupport Manager’s capabilities, such as screen recording, network discovery and logging keystrokes and mouse presses.

 

This tool is typically used by administrators to gain remote access to computers, but in this case, successful phishing leads to the attacker gaining complete access to the target system.=

Example 5: An Old Acquaintance Reappears

While the message text is messy, the subject announces alarmingly “COVID-19 UPDATE !!” The reader sees keywords such as “safety measures,” “preventive measures” and “coronavirus,” and that the alleged sender is a regional director from the Panamerican Health Organization (of course, it’s not the real person).
screenshot of spam email Spam content
There is no intermediary step in the payload delivery process. Attached to the email is an archive with a malicious executable inside. In order to evade detection the payload is packed with a

 

Delphi packer that employs anti-debugging and virtual machine evasion techniques to further hinder analysis. Further analysis revealed that the payload delivered is the infamous LokiBot, an older commodity stealer.
String malicious artifacts

Conclusion: Stay Safe

The fear and uncertainty surrounding a real-world pandemic can be leveraged as a powerful vector for malware propagation. Currently, this vector is being actively exploited by criminals looking for quick profits. The well-established elements of social engineering (spoofed sender, fake message, etc.) are amplified by people’s emotions, ensuring increased efficacy of malicious spam campaigns. CrowdStrike is continuing to detect

 

COVID-19-related payloads currently in use, and we strongly advise everyone to avoid opening any unsolicited email they might get. Visit our
COVID-19 Resource Hub to get up-to-the-minute intel and support to defend your organization against the latest cyber threats.

 

Additional Resources

Breaches Stop Here