Proofpoint researchers are continuing to monitor malicious threat actor activity surrounding COVID-19. To date, the cumulative volume of coronavirus-related email lures now represents the greatest collection of attack types united by a single theme that our team has seen in years, if not ever. We’ve observed credential phishing, malicious attachments, malicious links, business email compromise (BEC), fake landing pages, downloaders, spam, and malware, among others, all leveraging coronavirus lures.
Over the past week, the team observed a campaign from TA505, the group behind Locky ransomware and the Dridex banking Trojan, that uses a coronavirus lure as part of a downloader campaign targeting the U.S. healthcare, manufacturing, and pharmaceuticals industries.
The team also found a separate coronavirus-themed campaign that uses a downloader, targets the healthcare industry, and demands Bitcoin payment. Indicating a potential future shift in the attack landscape, the downloaders used in the above two campaigns are sometimes seen as a first stage payload before ransomware is later downloaded and installed on a victim’s machine. Ransomware is typically delivered as either second or later stage payload.
We’ve additionally seen TA564 using coronavirus emails to target Canadian users by spoofing the Public Health Agency of Canada in an attempt to deliver Ursnif.