covid19

As Delta Variant Spreads, COVID-19 Themes Make Resurgence In Email Threats 

Share with your network!

Key Findings: 

  • Proofpoint researchers observed an increase in COVID-19 related threats since late June 2021.  
  • Threat actors are taking advantage of the increased interest and infection spread related to the Delta variant.  
  • Proofpoint researchers observed high-volume COVID-19 related campaigns from malware including RustyBuer, Formbook, and Ave Maria. 

Overview 

Multiple distinct types of high-volume threats have pivoted back to using COVID-19 social engineering themes as the global concern about the Delta variant continues to rise. The newly observed campaigns related to the identified malware follow a lull in COVID-19-themed threat campaigns through the Spring and early Summer of 2021. 

Campaign Details 

Proofpoint has tracked ongoing threats leveraging COVID-19 and related coronavirus themes since the beginning of the pandemic. TA542, known to distribute Emotet, first began using COVID-19 in email threats in January 2020. Although the virus has remained an ongoing theme, Proofpoint researchers observed a significant increase in the number of messages leveraging COVID-19 themes in recent months.  

Since late June 2021, Proofpoint has observed high volume COVID-19 themed campaigns distributing RustyBuer, Formbook, and Ave Maria malware, in addition to multiple corporate phishing attempts to steal Microsoft and O365 credentials. Proofpoint researchers also identified an increase in business email compromise threats leveraging COVID-19 themes in this timeframe. 

The increase in COVID-19 themes in Proofpoint data aligns with public interest in the highly contagious COVID-19 Delta variant. According to global Google Trend data, worldwide searches for “Delta variant” first peaked the last week in June 2021 and have continued through August 2021 so far.  

Delta

Figure 1. Google Trend data for searches related to “Delta variant.” 

The increase in COVID-19 related threats is global. Proofpoint observed tens of thousands of messages intended for recipients in various industries worldwide. Open-source data also supports a greater threat actor adoption of COVID-19 themes recently. South Korea, for example, recently raised its cyber threat warning level in response to an increase of threats related to its COVID-19 relief programs.  

Throughout the pandemic, threat actors have leveraged the fear and uncertainty felt by communities everywhere and the COVID-19 virus became a popular lure for social engineering activities. As vaccines became available, threat actors began using themes related to vaccination status. Threat actors often paired COVID-19 themes with messages purporting to be pandemic financial relief or healthcare information. This trend continues as the Delta variant spreads, and companies require vaccinations before employees can return to work. 

Credential Theft 

Proofpoint researchers have observed multiple high-volume COVID-19 related credential theft campaigns, including a Microsoft credential theft campaign targeting thousands of organizations globally. The messages purported to be vaccination self-compliance reports sent by the target entities’ human resources divisions.  

The emails contained the following characteristics, for example:  

From: "HR@[organizationname.tld]" <various senders> 

Subject: Covid-19 Vaccination Self Compliance Report. 

The messages contained a URL which likely leads to a fake Microsoft authentication page designed to harvest user credentials.  

O365

Figure 2. Self-compliance COVID-19 vaccine lure. 

Recently, many major American companies began requiring employees to be vaccinated before returning to the office. As vaccine requirements become more widely adopted by employers, it is likely this type of lure theme will be used by threat actors.  

Employment Status 

Proofpoint researchers observed a new high-volume Formbook campaign sent to hundreds of organizations masquerading as a human resource professional. The emails contain a zipped file (e.g. Scan.Salary.zip) and tell the recipients that their jobs are being eliminated due to the financial impact of COVID-19. 

Email

Figure 3. Email allegedly from an organization’s human resources division.  

The emails are generic but customized to the intended organization. To further entice the recipient to open the malicious file, the email states a “2 months salary receipt” is attached. The emails contain a malicious .ZIP attachment, that when extracted and executed leads to the installation of Formbook malware. This campaign consisted of over 7,000 emails intended for a broad spectrum of organizations.   

Ave Maria  

Proofpoint researchers identified new Ave Maria malware campaigns largely targeting energy and industrial organizations. Ave Maria is a remote access trojan, written in C++, that is capable of process and file system manipulation, command shell access, webcam control, keylogging, password theft, and remote desktop access. The first observed series of emails purported to be health advisories related to COVID-19 and purported to contain “preventative measures” relating to the target company’s policies. Over a thousand emails targeted dozens of customers, with more than 90% of the intended targets in the energy vertical. Subsequent related campaigns used themes unrelated to COVID-19. 

The virus-related messages purported to be, for example:  

From: HEALTH CARES <admin@ledfarm[.]store>  

Subject: COVID-19 PREVENTIVE MEASURES  

Attachments: covid-19_preventive measures.xlsx  

The body of the emails also contained emails unique to the target entity, for example healthcare@[targetcompany].com. The contents of the emails claimed there was new COVID-19 preventative measures included in the attachment. Furthermore, the emails contained COVID-19 cases, deaths, and vaccine doses administered.   

COVID-19  

Figure 4. Email purporting to be related to COVID-19 measures.  

The following week, Proofpoint observed additional Ave Maria campaigns distributing COVID-19 themed messages, for example: 

From: customercareservicesY 

Subject: COVID-19 SELF SERVICE CERTIFICATE/PREVENTIVE MEASURES 

All the observed Ave Maria COVID-19 themed messages contained an Excel attachment that exploits various Equation Editor vulnerabilities. The malware’s command and control infrastructure utilized Dynamic DNS and communication over port 5200.   

RustyBuer  

Currently, one of the most active COVID-19 related threats is RustyBuer, a new Rust-based Buer Loader strain first identified by Proofpoint researchers in April 2021. Buer is a downloader  that is used as a foothold in compromised networks & an ‘Initial Access Broker’ to distribute other secondary payloads including ransomware

The recent campaigns leveraging the pandemic themes include senders purporting to be related to healthcare with subjects referencing vaccine mandates, equitable healthcare opportunities, and current infection rates. Historically, threat actors leveraging Buer and RustyBuer generally did not use COVID-19 themes; the virus theme was previously observed once associated with this malware in November 2020. 

In recently observed campaigns, the message purport to be from senders including:  

info@covidhospitalgeer[.]com 

info@covidadministration[.]com 

The emails contain subjects like: 

COVID-19 infections at higher than Covid and rubbed his restaurants and 

COVID-19 vaccinations for its mask mandate for the ongoing disaster which 

The observed messages contain password protected zipped Microsoft Excel attachments with macros which, if enabled, will download and execute RustyBuer. The messages do not mimic any official correspondence, and often do not make grammatical sense and appear to contain fragments from news reports. However, the language and graphics used suggest an urgency to the recipient and may entice them to click on the attachment.   

COVID-19

Figure 5. COVID-19 themed lure distributing RustyBuer.  

Conclusion 

If the severity of the Delta variant increases in proportion to COVID-19 infections, we expect an increase in media coverage worldwide. Based on past behavior, media attention increases the likelihood that actors will shift back to a broader adoption of COVID-19 as social engineering material and localize that material to their perspective regions. It is possible more threat actors will begin to use the virus as a lure in future campaigns while infection rates and interest in the virus and protective measures remains high. 

The following indicators of compromise represent a sample of recent COVID-19 threats. 

Indicator 

Description 

http://sweetdreambymoon[.]stars[.]bz/a2/p3.exe  

Ave Maria / Warzone Payload URL  

a2ba3e1a002cd3c7d5be4ff05d6001692a1a516096159ac77b78f0ddd9c3060e  

Payload SHA256  

warzonlogs[.]duckdns[.]org  

Ave Maria / Warzone C2  

admin@ledfarm[.]store  

Ave Maria Sender Email  

contact@wmbtole-com[.]uno  

Ave Maria Sender Email  

contact@yumaletab-net[.]uno  

Ave Maria Sender Email  

 info@taxpunishdep[.]com 

RustyBuer Sender Email 

info@loveshipper[.]com 

RustyBuer Sender Email 

https://luareraopy[.]com/api/v3/dacryorrhea/cardholders/nympholepsies 

 

RustyBuer Document Payload 

cerionetya[.]com 

RustyBuer C2 

88689636f4b2287701b63f42c12e7e2387bf4c3ecc45eeb8a61ea707126bad9b 

 

RustyBuer Hash (Sample) 

info@deliverydhlexpress[.]com 

RustyBuer Sender Email 

info@deliveryeatstreet[.]com 

RustyBuer Sender Email 

https://seryanjek[.]com/api/v3/disambiguate/nonequivalent/ditrigonal 

RustyBuer Document Payload 

e3a11be133a98c05ab7aa90f7ca8037cfdad66b0159b5522a85dab5d54f6eb71 

RustyBuer Hash (Sample) 

info@covidhospitalgeer[.]com 

RustyBuer Sender Email 

info@covidadministration[.]com 

RustyBuer Sender Email 

info@covidbooksinfo[.]com 

RustyBuer Sender Email 

info@discountfreeals[.]com 

RustyBuer Sender Email 

lebatyo[.]com 

RustyBuer C2 

https://hejoysa[.]com/ssl/v1/getkey 

RustyBuer Excel Payload 

eurolord.duckdns[.]org 

Ave Maria C2 

6b4a4244409dc7dd0e538b98fbb886b51d626202bdc8501af5c9c4e84daecd82 

Ave Maria Hash (Sample) 

http://sassyladywrites[.]com/a1/b7[.]exe 

Ave Maria Payload URL 

https://00f74ba44bd85135df3aa07960343eeeec89e0088b-apidata[.]googleusercontent[.]com/download/storage/v1/b/dhngw6p6rwrwnuv6vnuse.appspot.com/o/index.html 

Microsoft Credential Theft Phishing Landing Page 

https://storage[.]cloud[.]google[.]com/dhngw6p6rwrwnuv6vnuse.appspot.com/index.html#username@organizationname.tld 

Microsoft Credential Theft Phishing URL 

24cf6db04d0882f124750e4b7025455d11b02f23ad088a334e449a82d672e64a 

Formbook Hash (Scan.Salary.zip) 

www.aozhengaodi[.]com/bkbk/ 

Formbook C2