Threat Advisory: Cybercriminal activity exploiting COVID-19 themes  

Deloitte reviewed multiple cases to ascertain the tactics and techniques related to criminal activity in the wake of the COVID-19 outbreak. These incidents reflected general trends in terms of the primary attack vector, related malware, and objectives of criminal threat actors seeking to capitalize on the pandemic.

Summary Analysis

• Deloitte reviewed multiple incidents/campaigns related to cyber criminal activity in the wake of the COVID-19 outbreak to derive general trends in terms of primary attack vector, related malware, and objectives of criminal threat actors seeking to capitalize on the pandemic.
• Spam email pertaining to COVID-19 typically delivers malware using one of two methods: email attachments or malicious links. In both cases, they typically incorporate an intermediate downloader as the delivery mechanism for the actual malware payload.
• Deloitte assesses with moderate confidence threat actors using COVID-19 themes for distributing information stealers via phishing emails with embedded links are using more likely to incorporate cloud hosting services.
• Deloitte assesses with high confidence the majority of malware using COVID-19 themes are information stealers using compressed file formats (e.g. .rar, .gz, .zip, .iso, .arj) in combination with office productivity software. Less commonly, they will incorporate vulnerability exploits but more often relyon macro-enabled documents.
• Deloitte assesses with moderate confidence that threat actors will exploit the inherent trust in specific compromised users (such as CEO’s and other institutional leadership) to perform internal spear phishing attacks in the wake of COVID-19.
• Deloitte assesses with high confidence that COVID related themes are increasingly, and effectively, used by threat actors to facilitate drive by compromises.
• Deloitte assesses with moderate confidence the most commonly observed malware leveraging COVID related themes is information stealers. Such malware may be used as an intermediate payload itself that eventually retrieves a RAT, Banking Trojan, backdoor, ransomware, and occasionally cryptominers.
• Deloitte assesses with high confidence that organizations directly related to the COVID-19 response – particularly those in life sciences and healthcare – will be increasingly targeted by cyber criminals who seek to capitalize on the uncertainty and rapid responses required by the crisis.
   

Recommendations

Deloitte recommends the following:

• Avoiding clicking on attachments or links embedded in email messages with subject lines purporting to contain information related to COVID-19 or Coronavirus.
• Using firewalls and intrusion detection/prevention systems (IDS/IPS) to detect and block network communications with malware Command and Control (C2) nodes.
  • Consider alerting based on emails containing references to COVID, coronavirus, and other keywords which contain uncommon file types such as iso, arj,
  • Consider alerting based on COVID-19 related domains on commonly abused hosts (Cloudflare, GoDaddy, OVH), nameservers (NameCheap) and unusual TLDs (e.g. .tk, .pw etc.)
  • Deploy Intrusion Detection security controls on the network, to detect malicious activity during post-exploitation.
  • Enable and configure Windows Audit Policy and Logging and set the registry to enable process command-line logging.
• Recipients of suspicious emails are encouraged to verify the ostensible sender via alternate communication methods, via secure channels and not use the contact information provided in a message.
  • This is particularly relevant to users who issue payments and initiate money wire transfers pertaining to services rendered or travel costs.
• Ensure regular, offline backups are stored for all critical systems and data to mitigate potential ransomware attacks.
• Do not issue payments for ransomware as the adversary is under no obligation to restore files which may not be recoverable even after acquiring the required encryption key.
• Disallow auto-saving to user Downloads folder and executing an application or opening a data file from that location.
• Using Group Policy to block users from enabling macros in any Microsoft Office applications.
• Sufficient logging of host and user activity that can be leveraged and analyzed for suspicious threat actor activity or attempts to compromise hosts and/or user accounts.