Beware malware-laden emails offering COVID-19 information, US Secret Service warns

Many of the emails take advantage of an unpatched, decades-old Microsoft Office vulnerability to deliver malware. Advice: Patch now.

As the coronavirus crisis continues to capture everyone’s attention, cybercriminals stay busy running scams and delivering malware using the attention-getting virus as a lure. The threats from the scammers and crooks, which began as early as January and continue unabated, range from tricking people out of their financial data to delivering pernicious malware.

Although some scammers use novel techniques to commit their crimes, many schemes rely on tried-and-true phishing methods that exploit unpatched software flaws that sometimes have stayed unfixed for years. On April 1, the US Secret Service (USSS) sent out an information alert, “Fraudulent COVID-19 Emails with Malicious Attachments,” that warns about messages masquerading as COVID-19 status emails  from employers, merchants and other businesses.

The USSS has uncovered attempted attacks that, using these faux alerts, sought to remotely install malware on the infected system to “harvest financial credential, install keyloggers, or lockdown the system with ransomware.” The malicious attachments are usually Microsoft Office or WordPad file types that exploit a now-patched vulnerability in Microsoft Office, according to the alert. However, the Secret Service says that variations exist and attack vectors evolve.

Patch Microsoft Office vulnerability CVE-2017-11882

Mark Coleman, assistant to the special agent in charge at the USSS’s Criminal Investigative Division, tells CSO that the malware spreaders were seeking to exploit the two-decades-old Microsoft Office memory corruption vulnerability CVE-2017-11882, for which Microsoft released a security patch in November 2017. CVE-2017-11882 is a common, and even “prolific” technique for attackers to spread malware, involved in over 600 incidents through the first three quarters of 2019, according to researchers at Cofense.

The Secret Service also said that phishing emails disguised as coming from a hospital, with the recipient notified they might have come in contact with a coronavirus-infected person, also carry malware attached to a downloadable Excel file, which exploits the same Office flaw. “Similar to the fraudulent corporate COVID-19 emails, these were Excel .XLSM files that likely were attempting to exploit the same CVE-2017-11882 Microsoft Office vulnerability,” says Coleman.

The malware can steal login credentials, open shares on the networks, and view all files and folders as well as discover and take cryptocurrency information. A variation on this attack is an email purportedly from the US Department of Health and Human Services (HHS) targeting medical suppliers asking them to provide protective medical equipment from an attached list that contains malware.

The HHS scammers sent emails that contained a .EXE file attachment that carried a .PDF extension prefix in the file name, Coleman says, a technique used to fool the recipients into believing they were opening a PDF file containing a list of needed supplies. Coleman says they think the executable deployed Agent Tesla to the potential victim user, which logs keystrokes and captures credentials. Agent Tesla is a time-tested piece of malware that also exploits CVE-2017-11882. It has been sold to thousands of cybercrooks who pay subscription fees at varied levels to license the software.

Multiple reports of COVID-19 scams

Whether using proven or novel methods, scammers and malware purveyors show no signs of slowing down as they piggyback on the fears surrounding coronavirus:

• Like the Secret Service, the Better Business Bureau received reports of individuals posing as HHS employees using SMS messages to spread word of a supposed online coronavirus test, which in reality led to data-stealing malware.
• Researchers at KnowBe4 reported the same kind of “you’ve come into contact with a coronavirus-infected person” phishing email that the Secret Service referenced. This phishing campaign delivers malware that serves as a trojan downloader and detected by only a handful of major anti-virus applications.
• Researchers at IBM X-Force Threat Intelligence identified emails claiming to be sent by the US SBA that appear to be a confirmation email for an application for disaster assistance. Instead, the emails deliver attachments that, when opened, execute Remcos malware that installs a remote access Trojan (RAT).
• Relatively early on in the coronavirus crisis in Western nations, the UK’s NCSC warned of the creation of phishing campaigns pegged to the coronavirus crisis, saying back in mid-March that cybercriminals were creating phishing landing pages at a rapid clip.

Worldwide crackdown on COVID-19 scammers

Consequently, law enforcement agencies worldwide are vowing to crack down on the criminals riding in on the wave of this deadly disease. US Attorney Offices around the nation have announced their active interest in prosecuting cybercriminals, including the US Attorneys Offices for the Southern District of California and Western District of Louisiana.

Earlier this week, the US Attorney’s Office in South Carolina even formed a “COVID Strike Team” that pulls from a broad group of law-enforcement resources including US Attorney’s Office, federal law enforcement officers from an array of agencies, officers with the South Carolina Law Enforcement Division (SLED), and members of the South Carolina Attorney General’s Office.

Other countries are pushing to prosecute COVID cybercriminals. This week Australia announced that its Signals Directorate is mobilizing its offensive capabilities to bring down any criminals that exploit the COVID-19 crisis.

USSS’s Coleman says that working with local law enforcement is key to nipping these scams in the bud. “As a leading federal agency responsible for investigating complex cyber-enabled fraud schemes and training state and local partners how to do the same, we believe in partnerships which act as a force multiplier,” he says. “By so quickly and frequently disseminating criminal intelligence on real-time threats to the general public and other stakeholders, we are able to reduce the effectiveness and success of these emerging COVID-19 frauds.”

In the meantime, a joint alert from the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued on April 8 regarding the exploitation of COVID-19 by malicious cyber actors offers a series of steps organizations can take to mitigate the risks of these actors causing damage. Regarding the kinds of phishing schemes flagged by the Secret Service, the guidance recommends that organizations:

• Make it difficult for attackers to reach your users.
• Help users identify and report suspected phishing emails (see CISA Tips, Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams).
• Protect your organization from the effects of undetected phishing emails.
• Respond quickly to incidents.