sb-eu logo
Story image

Cybercriminals prey on healthcare panic to spread malware

11 Mar 2020

Cybercriminals are now using fake HIV test results to spread their malicious phishing attacks, as they move quickly to cash in on healthcare scares in the wake of COVID-19 Coronavirus.

According to cybersecurity firm Proofpoint, criminals are using health information in phishing emails because it gets an emotional response from victims.

In this particular instance, the criminals masquerade as a university medical centre – in Proofpoint’s example, the medical centre is called Venderbit Medical. The attackers send emails to victims with the subject line ‘Test result of medical analysis’, with the body of the email indicating HIV results are now available.

The HIV results are of course, fake. What victims who click on the attachment are really doing is opening their devices up to a malicious piece of malware called Koadic.

When victims click on the link to view test results, they open a malicious Excel document called TestResults.xlsb. The Koadic malware runs if the victim enables macros in the document.

The Koadic remote access trojan (RAT) is able to access victims’ sensitive personal and financial data. It is also able to run programs.

The attackers have targeted industries including healthcare, insurance, and pharmaceuticals, but it has also been targeted at others as well.

According to Proofpoint, many nation state attackers associated with China, Iran and Russia have used Koadic at some point.

Many attackers are cashing in on the Coronavirus outbreak by taking advantage of ‘conspiracy theory-based fears around purported unreleases cures for Coronavirus’.

So far malware including Emotet, AgentTesla keylogger, NanoCore RAT, and the AZORult information stealer have all been involved in attacks related to Coronavirus.

“We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information,” says Proofpoint’s Sherrod DeGrippo.

“Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in-person. If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.”

Proofpoint also recently discovered a new malware downloader called GuLoader. The downloader typically contains RATs and information stealers that could expose organisations’ IT systems.

Proofpoint says that the downloader’s RATs and information stealers include Agent Tesla/Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria/Warzone RAT and Parallax RAT.

GuLoader stores encrypted payloads on Google Drive or Microsoft OneDrive, highlighting that cybercriminals are also relying on cloud services to conduct their activities.

Story image
CrowdStrike targets Zero Trust blind spot with new offering
CrowdStrike has officially launched CrowdStrike Falcon Zero Trust Assessment (ZTA), designed to aid in overall security posture by delivering continuous real-time assessments across all endpoints in an organisation regardless of the location, network or user. More
Story image
Report: Power utilities increasingly at risk of devastating cyber-attacks
“Utilities’ existing systems are becoming increasingly connected through sensors and networks, and, due to their dispersed nature, are even more difficult to control.”More
Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More
Story image
COVID-related email subjects biggest threat in phishing scams
Coronavirus-related email subjects remain the biggest threat in phishing scams, a new study has found.More
Story image
IBM Security completes industry first with updates to Cloud Pak for Security solution
"With these updates, we will be the first in the industry to bring together external threat intelligence and threat management alongside data security and identity."More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More