Several cyber threats have recently emerged involving the COVID-19 pandemic theme, even from the initial stages worldwide up to as new variants such as the Delta spreads today. One example of this is a threat group called TA542 that is mainly prevalent with their distribution of the Emotet malware. This threat group started to use COVID-19 related email threats last January of 2020. By June this year, there has been an upsurge of email threat campaigns leveraging COVID-19 which aims to distribute malware like Ave Maria, Formbook, and RustyBuer. Within this timeframe, researchers have also found an increase in threats to compromise business emails using the COVID-19 theme.
According to reports, these COVID-19 themed threats are happening worldwide. There are thousands of these messages being distributed to different industries worldwide, including South Korea, which have recently raised their warning level of cyber threats related to the COVID-19 themes being used in attacks.
The fear of the pandemic worldwide has been used by threat actors to execute cyberattacks and lure victims through email. An example is how the threat actors use the COVID-19 vaccination relief programs and healthcare information as an email theme to bait recipients and conduct the attacks.
The different campaigns that threat actors use to exploit COVID-19 related cyberattacks include:
- Credential Theft
Recent reports have observed an upsurge in credential theft involving COVID-related cyberattacks, including the execution of the Microsoft credential theft campaign, which targets many companies and organizations worldwide. As vaccines became one of the requirements for employees to go back to the office, threat actors use the situation to lure their targets through email phishing scams and obtain the victim’s credential information.
- Employment Status
A high volume of Formbook malware campaigns has also been reported by researchers as it impersonates HR professionals to steal the victim’s personal data. An example is how the malware is attached to a suspicious email with a context that the employee is terminated due to COVID-19 related effects.
- Ave Maria
Ave Maria is a recent malware mainly run to target energy and industrial organizations and is capable of command shell access, process and file system manipulation, webcam control, password theft, and remote desktop access. One of the email threats related to this campaign is health advisories linked to COVID-19, which encloses “preventative measures” concerning the target firm’s company policies.
RustyBuer is one of the most active COVID-19 email threats campaigns. It is a downloader tool that is operated as a foothold in infected networks and an ‘Initial Access Broker’ to dispense other secondary payloads, including ransomware. It is applied to the email threat campaigns linking COVID-19 by referencing vaccine directives and current infection rates and attaches a password-protected zip file of Microsoft Excel with macros that will download and execute the RustyBuer malware once enabled.