Recent malware campaigns reveal that cybercriminals aren’t sparing healthcare firms, medical suppliers and hospitals on the frontlines of the coronavirus pandemic.
Researchers have shed light on two recently uncovered malware campaigns: one targeting a Canadian government healthcare organization and a Canadian medical research university, and the other hitting medical organizations and medical research facilities worldwide.
The emails sent to these unnamed organizations purported to send COVID-19 medical supply data, critical corporate communications regarding the virus or coronavirus details from the World Health Organization (WHO) – but actually aimed to distribute ransomware, infostealer malware and more.
These recent campaigns are the tip of the iceberg when it comes to cybercrime targeting organizations in the healthcare space, researchers said. “Despite prior reporting by various sources indicating that some cyber-threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks,” said Adrian McCabe, Vicky Ray and Juan Cortes, security researchers with Palo Alto Networks’ Unit 42 team, in a Tuesday post.
Between March 24 – 30, researchers observed various malicious emails attempting to spread ransomware to several individuals associated with an unnamed Canadian government health organization actively engaged in COVID-19 response efforts, as well as a Canadian university that is conducting COVID-19 research.
The emails, sent from a spoofed WHO email address (noreply@who[.]int), contained a rich text format (RTF) file that purported to spread information about the pandemic. When opened, the RTF file attempted to deliver a ransomware payload that exploits a known vulnerability (CVE-2012-0158) in Microsoft Office, which allows attackers to execute arbitrary code.
When opened, the malicious attachment drops a ransomware binary to the victim’s disk and then executes it. To avoid detection, the dropped binary has a hidden attribute set, which is used when some content is obsolete and no longer necessary, to completely hide details from the user. The binary also uses an Adobe Acrobat icon to further cloak its true purpose.
After further analysis of the code structure of the binary and the host-based and network-based behaviors, researchers determined that the malware is an open-source ransomware variant called EDA2, which is associated with a larger, parent ransomware family called HiddenTear.
After execution, the victim receives a ransomware infection notification display on their desktop, which states: “If you want to unlock your files you must sent .35 BTC [Bitcoin] to this address,” and then gives an address for where to send the ransom payment. The ransomware binary then encrypts various files extensions, including “.DOC”, “.ZIP”, “.PPT” and more. Of note, “this ransomware binary has a particularly substantial limitation; it is hardcoded to only encrypt files and directories that are on the victim’s desktop,” said researchers.
Researchers said the ransomware samples in this campaign weren’t successful in reaching their intended victims. Other targets haven’t been so lucky, however. Despite ransomware gangs recently pledging that they would stop attacking hospitals in the midst of the pandemic, cyberattacks continue. Several hospitals have been targeted by the Ryuk ransomware, according to security researcher “PeterM” on Twitter.
I can confirm that #Ryuk ransomware are still targeting
hospitals despite the global pandemic. I'm looking at a US health care provider at the moment who were targeted overnight. Any HC providers reading this, if you have a TrickBot infection get help dealing with it ASAP.
— PeterM (@AltShiftPrtScn) March 26, 2020
Hammersmith Medicines Research, a London-based healthcare provider that was working with the British government to test COVID-19 vaccines, was also recently hit by a ransomware attack. The Maze ransomware operators, which launched the attack, later posted the stolen data online.
Unit 42 researchers also spotted a separate campaign targeting various organizations, including medical organizations and medical research facilities located in Japan and Canada, with the AgentTesla malware.
Other firms targeted by this malware include a United States defense research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, and medical organizations/research facilities located in Japan and Canada (all unnamed).
The malspam emails used the coronavirus as a lure, with a malicious attachment pretending to be a “COVID-19 Supplier Notice” or a “Corporate advisory” for coronavirus.
The email address sending the malspam emails, “Shipping@liquidroam[.]com,” uses a legitimate business domain for LiquidRoam, which provides sales of electric skateboards. This led researchers to conclude that the domain has been compromised and that the infrastructure is being used by cybercriminals.
The attachments for the emails were actually droppers delivering variants of the AgentTesla malware family. AgentTesla, an info-stealing malware which has been around since 2014, is sold in multiple forums commonly visited by cybercriminals, and is one of the top malware families of choice of the SilverTerrier threat actor, known for business email compromise (BEC) campaigns.
“All the associated samples connected to the same C2 domain for exfiltration: ‘ftp[.]lookmegarment[.]com,'” researchers said. “Our analysis also shows that the AgentTesla samples had hard-coded credentials used to communicate with the C2 over FTP.”
Attackers continue to leverage coronavirus-themed cyberattacks as panic around the global pandemic continues – including malware attacks, booby-trapped URLs and credential-stuffing scams.
“It is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are on the front lines and responding to the pandemic on a daily basis,” said Unit 42 researchers.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.