The novel coronavirus is giving opportunistic threat actors new means of deploying malicious lures on unsuspecting targets. Today’s example shows the attacker leveraging the pandemic by offering guidance on how to avoid coronavirus scams. Unfortunately, it’s also a scam.
We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.
This lure is targeting a large global financial institution.
Sender address: firstname.lastname@example.org
Clicking on the link redirects you to affmote[dot]com/WLGf4L49kgtfESv4u.php where the target is prompted to provide extra verification in order to access the document. This extra step serves a dual purpose for the attacker by keeping security researchers or bots from finding the malware rather than the intended victim.
Enabling the malicious Word document results in the download of Ursnif malware, a highly active and stealthy banking trojan.
The information that this particular lure promises is not unique in nature. Phishing attacks exploiting coronavirus information from health and government officials are spanning a variety of channels nowadays, and tips on how to avoid being a victim are everywhere. Attackers interested in capitalizing on the public’s need for COVID-19 updates need only to similarly look to authority figures on the subject, and mirror their messaging.
For more intelligence on COVID-19 threats, see our ongoing coverage.