A phishing campaign preying on people’s curiosity about President Trump’s Covid-19 illness, tricks individual’s into clicking malicious links. Instead of the promised top-secret information regarding Donald Trump’s illness, the link downloads the BazarLoader backdoor trojan.
Phishing Campaign Exploits People’s Curiosity
The fact that US President Donald Trump was infected by Covid-19 and had to spend time in hospital on the weekend, made headlines worldwide. To capitalize on this interest, cybercriminals started a new phishing campaign that claims to have insider information on Trump’s illness.
The White House has provided very limited information on Trump’s health. This allowed cybercriminals to use the intrigue to tempt people into clicking on suspicious email links. Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, speaking to SC Media said: “It’s a really good lure when you think about it. There’s this angle of conspiracy and ‘the government is hiding things from you’ that causes people to click a lot of times.” By involving the US president, the current phishing campaign improves this strategy further.
“Social engineering always has some emotional hook,” DeGrippo said. In this instance the hook is “We’re letting you in on something,” she said.
Possible Ransomware Attacks
The phishing campaign has targeted hundreds of organizations primarily based in the US and Canada. The campaign makes use of the BazarLoader (aka BazaLoader) backdoor trojan, which could then be used to launch ransomware attacks. It is believed that this trojan was created by the TrickBot group, a notorious malware supplier
The campaign involves sending individuals emails claiming to provide top-secret information about the US president’s health. These emails contain a link to Google Docs, which prompts the user to download a Word document. However, the BazarLoader executable is downloaded instead of a document.
To deceive targeted users, Google Docs gives the impression that Google has scanned the file and deemed it safe. The email link also connects to the legitimate Google Docs domain, which most users would instinctively trust. Furthermore, email and web security solutions would be unlikely to block such a link.
Once installed, BazarLoader allows cybercriminals to remotely access the victim’s computer and from there compromise the rest of the network. Once an organization’s network has been compromised, cybercriminals can install malware, such as Ryuk ransomware that encrypts and exfiltrates data. Thus, the breach of a single computer turns into a corporate wide attack. The same ransomware was used in a cyberattack on the Universal Health Services Hospital Chain last month.
Phishing Campaign Potentially Uses Google Analytics
DeGrippo states that by using Google Docs, the cybercriminals can use Google’s online service analytics to analyze victim engagement metrics. This allows them to make the phishing campaign more effective by modifying it according to metrics results.
Furthermore, the cybercriminals involved in this campaign have used many different subject lines. This helps them to evade attempts to block the emails. DeGrippo said that this also helps the cybercriminals ascertain which subject line is more effective. The aim being to use the more effective subject line more frequently in future attacks.
From TrickBot to BazarLoader
The TrickBot group seems to have moved from using the highly detected TrickBot trojan to the more covert BazarLoader backdoor. This seems to be especially the case for high-value enterprise targets. Furthermore, this move is likely to be even more marked after the take down of much of TrickBot’s botnet network recently.
“BazarBackdoor remains the covert malware relying upon minimal functionality while on the host producing high-value long-term infections due to its simplicity and external operation dependency to exploit more information later,” explained Advanced Intel security researchers.
Although an increase in the use of the BazarLoader backdoor over TrickBot is expected, researchers believe this would be used mainly for select targets. This is due to the fact that exploiting backdoors require more human interaction than the use of botnets. Consequently, researchers believe that Trickbot would continue to be utilized for mass attacks.
Recommended Mitigation Methods
First and foremost, security experts recommend that organizations use a secure email gateway that includes effective antimalware software against this phishing campaign. This helps ensure that phishing emails don’t make it into users’ inboxes in the first place.
Furthermore, organizations should educate their staff not to interact with emails sent from unknown sources. Especially if the emails’ subject lines and content promise information on current events, such as US presidential elections or Covid-19. Instead, users should seek out news on current events from websites and TV stations of legitimate news outlets.