The coronation pandemic continues to be used by hackers to carry out malware attacks, phishing campaigns, scams and spread misinformation.  

Security researchers have discovered a large number of phishing email campaigns on the subject of COVID-19, aimed primarily at governments and health organizations.

Security researchers from Unit 42 noticed that many malicious emails seem like they come from the¬†WHO¬†with a spoofed address ([email protected] [.] Int ).

The campaign targets people linked to a government health agency in Canada that is actively working to mitigate COVID-19.

The binary that secretly downloads, has an Adobe Acrobat icon. Once executed, it sends an HTTP GET request to download the image, which is used as a ransomware alert.

Also Read: United Kingdom: Monitoring site Data, due to Coronavirus

Once the image is received, then a request will be created based on the¬†username¬†and the name of the victim’s main computer.

The ransomware encrypts the following files and adds the .locked20 extension:

“.Abw”, “.aww”, “.chm”, “.dbx”, “.djvu”, “.doc”, “.docm”, “.docx”, “.dot”, “.dotm”, “.Dotx”, “.epub”, “.gp4”, “.ind”, “.indd”, “.key”, “.keynote”, “.mht”, “.mpp”, “.odf”, “.Ods”, “.odt”, “.ott”, “.oxps”, “.pages”, “.pdf”, “.pmd”, “.pot”, “.potx”, “.pps”, “.Ppsx”, “.ppt”, “.pptm”, “.pptx”, “.prn”, “.prproj”, “.ps”, “.pub”, “.pwi”, “.rtf”, “.Sdd”, “.sdw”, “.shs”, “.snp”, “.sxw”, “.tpl”, “.vsd”, “.wpd”, “.wps”, “.wri”, “.Xps”, “.bak”, “.bbb”, “.bkf”, “.bkp”, “.dbk”, “.gho”, “.iso”, “.json”, “.mdbackup”, “.Nba”, “.nbf”, “.nco”, “.nrg”, “.old”, “.rar”, “.sbf”, “.sbu”, “.spb”, “.spba”, “.Tib”, “.wbcat”, “.zip”, “7z”, “.dll”, “.dbf”

According to the researchers, the ransomware variant used is EDA2.

Another phishing email campaign targeted people working in the healthcare sector and in the pharmaceutical and government industries.

The emails contain attachments, with the malware AgentTesla, which has been active since 2014.

Also Read: How to Protect Yourself from Ransomware Attacks

It is capable of stealing credentials stored in a large list of web browsers, FTP clients, File Downloaders, etc.

AgentTesla malware is sold in various forums and is the top choice of the malicious SilverTerrier factor.

At a time when more and more people are being forced to work from home, their online security has declined.¬†And the hackers’ attacks make things even worse.¬†For this reason, users should be more careful with the emails they receive and not open links that seem¬†dangerous.

Leave a Reply