By: Adrian McCabe, Vicky Ray, Juan Cortes- Unit 42 Palo Alto
While the various COVID-19 themed phishing campaigns observed by Unit 42 are numerous, this blog seeks to provide a thorough picture and solid technical analysis of the cross-section between the various types of COVID-19 themed threats organizations may be facing during the ongoing pandemic. Specifically, we address a ransomware variant (EDA2) observed in attacks on a Canadian government healthcare organization and a Canadian medical research university, as well as an infostealer variant (AgentTesla) observed in attacks against various other targets (i.e. a United States defense research entity, a Turkish government agency managing public works, several large technology and communications firms headquartered in Canada, Germany, and England, and medical organizations/medical research facilities located in Japan and Canada).
None of the malware samples mentioned in this blog were successful in reaching their intended targets.
Between March 24, 2020 at 18:25 UTC and March 26 at 11:54 UTC, Unit 42 observed several malicious emails sent from the spoofed address [email protected][.]int (actual sender IP address at the time of the attack was 176.223.133[.]91) to several individuals associated with a Canadian government health organization actively engaged in COVID-19 response efforts, and a Canadian university conducting COVID-19 research. The emails all contained a malicious
Rich Text Format (RTF) phishing lure with the file name 20200323-sitrep-63-covid-19.doc,
(SHA256: 62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617), which, when opened with a vulnerable application, attempted to deliver a ransomware payload using a known shared Microsoft component vulnerability, CVE-2012-0158.
It is interesting to note that even though the file name clearly references a specific date (March 23, 2020), the file name was not updated over the course of the campaign to reflect current dates. It is also interesting that the malware authors did not attempt to make their lures appear legitimate in any way; it is clear from the first page of the document that something is amiss.
Once opened with vulnerable document viewing software, the malicious attachment drops a ransomware binary to disk at C:\Users\<victim username>\AppData\Local\svchost.exe, then executes it. It is worth mentioning that the dropped binary has the hidden attribute set, and has an Adobe Acrobat icon.
When the ransomware binary is executed, an HTTP GET request for the resource tempinfo.96[.]lt/wras/RANSOM20.jpg is initiated. This image is the main ransomware infection notification displayed to the victim:
This image is then saved to disk at C:\Users\<victim username>\ransom20.jpg, and is subsequently set as the victim user’s desktop wallpaper. At the time of the attack, the domain tempinfo.96[.]lt resolved to the IP address 31.170.167[.]123.
After the image is downloaded, an HTTP POST request to the resource www.tempinfo.96[.]lt/wras/createkeys.php is made containing the user name and host name of the victim. Of particular note is that connectivity to the remote host is first checked via use of HTTP 100 Continue prior to the malware transmitting the host details:
Once the remote command and control (C2) server successfully receives the victim’s details, it then proceeds to create a custom key based on the username/hostname details and sends the key back to the infected host for further processing. Once the key is received from the C2 server, the infected host then initiates an HTTP POST request to the resource www.tempinfo.96[.]lt/wras/sendkeys.php containing its hostname and the main decryption key for the host, which is, in itself, AES encrypted:
At this point, encryption of the victim’s files begins. This particular ransomware binary is configured to encrypt files with the following file extensions:
“.abw”, “.aww”, “.chm”, “.dbx”, “.djvu”, “.doc”, “.docm”, “.docx”, “.dot”, “.dotm”, “.dotx”, “.epub”, “.gp4”, “.ind”, “.indd”, “.key”, “.keynote”, “.mht”, “.mpp”, “.odf”, “.ods”, “.odt”, “.ott”, “.oxps”, “.pages”, “.pdf”, “.pmd”, “.pot”, “.potx”, “.pps”, “.ppsx”, “.ppt”, “.pptm”, “.pptx”, “.prn”, “.prproj”, “.ps”, “.pub”, “.pwi”, “.rtf”, “.sdd”, “.sdw”, “.shs”, “.snp”, “.sxw”, “.tpl”, “.vsd”, “.wpd”, “.wps”, “.wri”, “.xps”, “.bak”, “.bbb”, “.bkf”, “.bkp”, “.dbk”, “.gho”, “.iso”, “.json”, “.mdbackup”, “.nba”, “.nbf”, “.nco”, “.nrg”, “.old”, “.rar”, “.sbf”, “.sbu”, “.spb”, “.spba”, “.tib”, “.wbcat”, “.zip”, “7z”,
The encryption algorithm is fairly simple, and, when encrypted, files are renamed with a .locked20 extension:
Additionally, this ransomware binary has a particularly substantial limitation; it is hardcoded to only encrypt files and directories that are on the victim’s desktop.
From the code structure of the binary and the host based and network based behaviors of the ransomware, Unit 42 has determined that the ransomware variant used in this attack is EDA2, an open-source ransomware variant associated with a larger, parent ransomware family called HiddenTear.
Additional information on this ransomware variant can be found here.
The objective of this blog was to give a deeper understanding on some of the types of cybercrime campaigns being faced by multiple critical industries dealing with the urgent and critical response efforts of the COVID-19 pandemic. It is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.
While this blog specifically focussed on two campaigns, Unit 42 is tracking multiple campaigns with COVID-19 themes being used by threat actors on a daily basis and this trend is likely going to continue for weeks to come. We will continue updating the Unit 42 blog with new findings and observations on how the ongoing COVID-19 pandemic is being leveraged by cyber criminals for illicit profit.