A few days ago, on the 27th of March, industry reporting signalled a new campaign of Covid-19/ coronavirus-themed spear phishing attacks that illegitimately uses the WHO (World Health Organization) mark, to spread another variant of the info-stealer Lokibot, in order to steal personal data and confidential information from the victims of the attack.
This is not the first time that this particular malware has appeared, in fact numerous versions, all derived from the original source code, have already been identified. The most disparate methods were also used for what concerns the means of distribution.
This spear phishing campaign has already spread rapidly in different parts of the world, especially in Turkey (29%), Portugal (19%) and Germany (12%). Fortunately, it’s still not widespread in Italy (<1%). But it’s necessary to pay close attention because the situation is constantly evolving.
Brief analysis of the Covid-19 themed spear phishing email
Here we will briefly see the characteristics of the e-mail message released in this new spear phishing campaign. First of all, the e-mail contains this phrase in the subject line: Coronavirus disease (COVID-19) Important Communication [.]. An attachment apparently containing more information is also visible, and this is where the malware vector it’s actually contained. The following image shows what the message looks like:
The email has an alias on the sender’s header that refers to WHO Centers for Disease Control.
As far as the body of the message is concerned, this is focused on the problem of misinformation about the coronavirus pandemic, which the WHO intends to contrast with the attached guide document. As highlighted by the analysts themselves, if you read the text carefully, you can identify grammatical and spelling errors in written English that could help you identify its fraudulent nature.
Finally, the e-mail attachment is a compressed file with an .arj extension (Archived Robert Jung): it is a rather rare compression format, probably used by the attackers to deceive the victims, presenting them a different format than those usually reported as suspicious in the alerts.
Once the attachment is open, the target device is infected by the Lokibot infostealer, which is capable of extracting various types of credentials (FTP, e-mail and browser, among others) and sending them to a command and control localized server at hxxp: [.] // bslines xyz / Copy / five / fre.php.
Some advice for prevention
To counter phishing, spear phishing and malspam campaigns similar to the one described above, it is useful that companies and staff follow some good practices that can allow them to block threats proactively, preventing them to reach their targets.
Keeping constantly updated antivirus software and any other protection tool and raising awareness among all company staff through security awareness training cycles, for example, are two simple measures that are often enough to avoid the worst damage to the company.