f5-au logo
Story image

Cybercriminals prey on healthcare panic to spread malware

11 Mar 2020

Cybercriminals are now using fake HIV test results to spread their malicious phishing attacks, as they move quickly to cash in on healthcare scares in the wake of COVID-19 Coronavirus.

According to cybersecurity firm Proofpoint, criminals are using health information in phishing emails because it gets an emotional response from victims.

In this particular instance, the criminals masquerade as a university medical centre – in Proofpoint’s example, the medical centre is called Venderbit Medical. The attackers send emails to victims with the subject line ‘Test result of medical analysis’, with the body of the email indicating HIV results are now available.

The HIV results are of course, fake. What victims who click on the attachment are really doing is opening their devices up to a malicious piece of malware called Koadic.

When victims click on the link to view test results, they open a malicious Excel document called TestResults.xlsb. The Koadic malware runs if the victim enables macros in the document.

The Koadic remote access trojan (RAT) is able to access victims’ sensitive personal and financial data. It is also able to run programs.

The attackers have targeted industries including healthcare, insurance, and pharmaceuticals, but it has also been targeted at others as well.

According to Proofpoint, many nation state attackers associated with China, Iran and Russia have used Koadic at some point.

Many attackers are cashing in on the Coronavirus outbreak by taking advantage of ‘conspiracy theory-based fears around purported unreleases cures for Coronavirus’.

So far malware including Emotet, AgentTesla keylogger, NanoCore RAT, and the AZORult information stealer have all been involved in attacks related to Coronavirus.

“We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information,” says Proofpoint’s Sherrod DeGrippo.

“Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in-person. If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.”

Proofpoint also recently discovered a new malware downloader called GuLoader. The downloader typically contains RATs and information stealers that could expose organisations’ IT systems.

Proofpoint says that the downloader’s RATs and information stealers include Agent Tesla/Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria/Warzone RAT and Parallax RAT.

GuLoader stores encrypted payloads on Google Drive or Microsoft OneDrive, highlighting that cybercriminals are also relying on cloud services to conduct their activities.