TechGuard Blog

Upping the Scale

COVID-19 phishing attempts have run rampant in cyber news since so many employees were ordered to work from home during the outbreak. When a company has to suddenly transition its users to work remotely, their network's threat landscape grows dramatically. Malicious actors know this, and they're using it to their advantage by blasting out phishing campaigns. One campaign, in particular, is targeting government and energy sectors in Azerbaijan with interest in wind turbines. The attack is believed to originate through email and attempts to lure the victim into downloading a python based Remote Access Trojan (RAT). Using the RAT, the adversary could potentially exfiltrate sensitive documents, keystrokes, passwords, and even take images from the facility's webcams, while the main target of the campaign is the SCADA systems.

 

How This Attack works 

 

Once a Victim has downloaded the malicious file from the suspected email, the word document immediately writes the malware to the computers archive file as a smile.zip, which has a python interpreter in it and the RAT itself. From here, the malware begins to start a two-part sequence to establish a connection to the command and control server (C2) through files attached to the word document. The first file, named frown.py, is used to communicate with the C2 server through a unique device identifier. The second file, titled smile.py, handles the execution of the C2 commands on the compromised machine through the connection made in the first file. Once this sequence has been established, the adversary can begin to send executable exploitations across the server and onto the device.

 

This malware campaign isn't limited to embedding itself into a file system and establishing a connection to a command server, either. This campaign also has the ability to detect if it is put in a sandbox or not by checking the storage space of the environment it is downloaded on. If the file detects that the hard drive has less than 62GB, the file will automatically erase itself and no longer exist. It can also gain persistence on a device by creating a registry key for itself.

 

What You Can Do

If you're worried about this attack reaching your business, there are some preventative measures you can take. Putting geographical restrictions on your email is an excellent way to prevent traffic from specific regions in the world to have traffic reaching your inbox. In the event of an email from an outside source, go through these quick checks if you think you have to respond to the email. Check the name of the email address that is reaching out to you. Often, these names will have obvious spelling errors in them, or they will try to mimic the name of someone within your organization to fool you into thinking they are someone you trust. If the email passes the first two checks and you happened to download an attachment in the email (we recommend never clicking on any attachments or links in emails before verifying the sender), you should go into your file explorer to check the download. You can expand a file by right-clicking and choosing the expand option. Then, the entire name of the downloaded file will be shown. If the file has .exe attached to the name of it, that indicates the file isn't harmless and could cause your computer to become infected opened. Overall, I wouldn't recommend downloading or opening any emails that mention COVID-19.

Written by Adam Voss

Adam Voss graduated from Maryville University with an emphasis on pen-testing. Currently, he works at TechGuard as a cybersecurity analyst. When he's not working on projects or expanding his knowledge in the field to get his certs, he can be found doing something that involves physical exercise or rooting for the cardinals or blues.