Coronavirus has already become a pandemic and is the eyes and minds of every new media outlet, government, and the ordinary citizen. While the virus is causing serious health issues on a worldwide scale, cyber attackers are using this opportunity to jump on the coronavirus-themed bandwagon to cause serious digital health issues using the World Wide Web.
An advanced persistent threat (APT) group is leveraging the novel virus to send malicious tools and software to unsuspecting victims. The identified suspicious malware were the two Rich Text Format files (RTF for short – mostly used by Microsoft products). These targeted to the Mongolian public sector when once opened launched a custom and unidentifiable remote-access Trojan (RAT as it called). RAT is executed and it takes screenshots of the device, creates a list of files and directories and downloads them too.
Researchers have also speculated that the latest iteration of the APT the coronavirus themed APR has been largely part of a Chinese-based operation that seems to be a long-standing operation in the East and West. As reported, the specific campaign targets the coronavirus pandemic and attracts the victims to trigger the fall.
They monitored the campaigns that leveraged the attacks. Researchers at Checkpoint Research, based out of San Carlos, California, said that COVID -19 pandemic is cause for greater concern as they lure the victims with news, articles and other “insights” that can trigger an infection chain reaction and can lead to widespread cyber-attacks.
The RTF files that were allegedly attached in the email to the Mongolian Ministry of Foreign Affairs have been said to be infected with the malware. The predominance was about the information of new coronavirus infections in the region to potential victims. The RTF files were armed using another tool named Royal Road. This tool is quite common and is seen to be primarily used by Chinese hackers. This tool allows the cyber attacker to create a custom yet weaponized document that can be used to exploit unspecified vulnerabilities, like for example the Equation Editor – a tool used to build complex equations on Microsoft Word.
Once the victim opens the RTF file, a malicious file gets downloaded on the Microsoft Word startup folder that creates a chain of infecting and detonating sandboxes. The files serve a loader for the malware and that can also communicate with the attackers’ command-and-control (C2) server.
The attacker then operates at the C2 server and can harvest, download, analyze and gain data on advanced parts of the infection chain. The final stage of the malware infection is a malicious loader that decrypts the RAT module and creates a plug-in-play like architecture that can receive an additional payload.
The researchers further noted that the “coronavirus-themed” campaigns were quite concurrent with the cyberattacks campaign from 2017. In 2017, cyber attackers targeted the government of Belarus with similar “themed” campaigns using the CMSTAR Trojan. They further identified similarities in the foundational infrastructures and code structures in the payload, with the coronavirus and the Trojan campaign leading to widespread speculations.
The rising cases of coronavirus themed cyberattacks is a cause for concern for global data protection communities. It is essential to see how security labs and anti-virus companies react to rising global tension.