The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.K. National Cyber Security Centre recently released a rare joint statement warning of the rise of APT groups using phishing campaigns exploiting the world’s fears about COVID-19.
“Their goals and targets are consistent with long-standing priorities such as espionage and ‘hack-and-leak’ operations,” officials warned in a statement. “Both APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months.”
In a new report, Malwarebytes looked at the rising APT attacks that use coronavirus as a lure to get people to take the bait. “Once their victims’ attention was captured by social engineering,” the report stated, “threat actors used various techniques to deploy malware, such as embedding macros in Microsoft documents attached to phishing emails or exploiting system or browser vulnerabilities to drop malicious software.”
According to Malwarebytes Threat Intelligence Team, APT groups are adapting their spear-phishing campaigns with the theme du jour, knowing that they will get a higher success rate using COVID-19 as a lure. They target their victims by crafting emails containing malicious attachments purporting to be related to the COVID-19 pandemic.
“Once you open up the file, malware will be silently installed and begin to collect data on the infected victims,” according to the Malwarebytes report.
APT groups aren’t the only ones exploiting COVID-19 for profit. There is also the rampant spread of disinformation designed to lure scared citizens into sharing sensitive information. Hackers are taking advantage of videoconferencing vulnerabilities to disrupt meetings and steal intellectual property. Hospitals, already pushed to their limits, are dealing with ransomware attacks. Phishing scams have skyrocketed.
What makes the APT attacks different, the Malwarebytes team said, is their smaller scope. “For example, other cyber-criminals will spend massive amounts of spam whereas an APT group will carefully choose his victims.” The malware from these attacks can then hide in your system and steal your data long after coronavirus has done its damage.
APT Attack Techniques
The Malwarebytes research revealed the techniques APT groups are using. They are:
- Template injection, where the hackers embed a script moniker in a document via a link to a malicious template via XML settings. The hackers usually use Microsoft Office documents for this attack.
- Malicious macros, which is the most popular style of APT attacks overall. A macro is embedded into the lure document that is then activated when the document is opened.
- RTF exploit, which is a popular flexible text format developed by Microsoft. As the report described, “The flexibility of embedding any object type within makes RTF files vulnerable to many OLE objects related vulnerabilities. Several threat actors, especially Chinese ones, use RTF files in their campaigns.”
- Malicious LNK files, targeting another Microsoft application, this time Windows. This APT attack uses malicious LNK shortcut files to infect systems.
The report goes into great detail about how each technique works and the different models the threat actors are using. And while many of these attacks specifically use Microsoft applications, don’t lull yourself into thinking Apple devices are safe. These APTs impact everyone.
Cybercriminals are going to rely on the heightened interest in all things related to COVID-19 for as long as they possibly can. APT groups have wasted no time in capitalizing on the COVID-19 crisis, and as long as the public is searching for information, the threat actors will continue to take advantage.
“Because we see a lot of emails attempting to inform the public about this pandemic, discerning the malicious from the legitimate ones is a difficult task,” the Malwarebytes team said. “By shedding some light on these attacks, we hope to share knowledge and tips on how to spot the techniques used by advanced threat actors.”