These threats are designed to capture usernames, passwords, bank details, network information, and other sensitive data, says security provider Lastline.
Cybercriminals have been busy devising email campaigns that take advantage of the coronavirus outbreak. By promising information or help about the pandemic, these attacks instead infect unsuspecting recipients with malware, often designed to capture personal information. One such campaign analyzed by Lastline uses infostealers to obtain private data from its victims.
SEE: Coronavirus and its impact on the enterprise (TechRepublic Premium)
In a blog post published Monday, Lastline said that it's detected a variety of threats centered around COVID-19, and many of these threats are infostealers. Some of the infostealers analyzed are older ones. For example, the Hawkeye infostealer has been active since around 2013.
Others are relatively fresh. The 404 Keylogger first appeared on a Russian dark web forum in August 2019, according to Lastline. Both of these threats use keylogging to record the keystrokes entered by the user to capture passwords and other typed information.
Whether relatively old or new, these email-based threats have been updated to exploit the coronavirus. All the email subjects contain at least one keyword related to the pandemic, such as "Coronavirus," "COVID-19," or "Corona." The body text of the email uses urgent social engineering language about the disease. And the file attachments in these emails are given coronavirus-related names, such as "CENTER FOR DISEASE CONTROL_COVID_19 WHO DOCUMENT_PDF" and "Letter_to_customers_covid-19_pdf."
By using keyloggers, many infostealers try to to steal such information as usernames, passwords, and banking data. Some infostealers, such as Agent Tesla, have evolved into more advanced threats able to steal Wi-Fi passwords. Some, such as Trickbot, are capable of capturing system and network information. And some, including Trickbot and Hawkeye, can even grab the contents of cryptocurrency wallets.
Analyzing the activity of infostealers during March 2020, Lastline found that different threats were active on different dates. On March 2, both Lokibot and Trickbot campaigns were in force. A week later on March 9, Lokibot was again detected. The following day on March 10, Lastline found active campaigns using Hawkeye. On March 24, the 404 Keylogger dominated the daily charts.
Most of these campaigns rev up during the week, starting with Monday, and then slow down over the weekend. Spammers and malware operators specifically target people who are back on the job on Mondays, even as they work from home. There's little point launching an attack on a Saturday when people aren't working and when security personnel and products can respond to that attack before it hits users on Monday.
The threats also vary based on region. In the EMEA (Europe, Middle East, Africa), the most common and persistent infostealer seen by Lastline in March was Lokibot. The popularity of Lokibot may be attributed to the 2015 leak of the original source code, which triggered many variants and recompiled editions deployed by different cybercriminals.
SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)
In the US, no one single infostealer has dominated the attack pattern. As the US is a large market with a single language, cybercriminals seemingly tend to deploy all types of attacks, from unsophisticated keyloggers to multi-stage stealers, according to Lastline.
Finally, most of the infostealers detected use a "Malware as a Service" model and are sold at affordable prices on the dark web. The main factor that distinguishes one campaign from another is the configuration rather than the code. Cybercriminals simply redesign existing email campaigns to take advantage of new areas, such as the coronavirus.
To help organizations better defend themselves against malicious infostealers, Richard Henderson, Head of Global Threat Intelligence at Lastline, offers the following commentary:
"There's a two-fold strategy that needs to be considered to greatly minimize the risks involved around threats such as these, and they are useful now and when the COVID-19 threat subsides," Henderson said.
"The first part of the equation involves asking what to do to prevent these threats from succeeding. A comprehensive security strategy involves both human and technological aspects: reminding your employees on a regular basis of threats such as these is key...although is not going to be a panacea. There are literally billions of malicious emails being delivered into people's inboxes every single day; eventually something will get through.
"On the technology side, there are many things that can be done: many organizations include a big fat alert inserted into the email itself reminding users that the email is from an external source and extra caution should be exercised when opening. That can help. Additionally, especially risk-averse organizations should consider just blocking emails that contain some more exotic file types. For example, in a recent study of compressed files sent via email, over 99% of compressed files that weren't zip files contained malicious artifacts."
- The latest cancellations: How the coronavirus is disrupting tech conferences worldwide (TechRepublic)
- Coronavirus having major effect on tech industry beyond supply chain delays (free PDF) (TechRepublic download)
- Coronavirus domain names are the latest hacker trick (TechRepublic)
- Coronavirus and its impact on the enterprise (TechRepublic Premium)
- As coronavirus spreads, here's what's been canceled or closed (CBS News)
- Coronavirus: Effective strategies and tools for remote work during a pandemic (ZDNet)
- How to track the coronavirus: Dashboard delivers real-time view of the deadly virus (ZDNet)
- Coronavirus and COVID-19: All your questions answered (CNET)
- Coronavirus: More must-read coverage (TechRepublic on Flipboard)