February 2, 2021
-
Anomali Threat Research
,

Threat Actors Capitalize on COVID-19 Vaccine News to Run Campaigns, AWS Abused to Host Malicious PDFs

<h2>Key Findings</h2> <ul> <li>Malicious actors have targeted the vaccine supply chain and leaked materials stolen from the European Medicines Agency (EMA).</li> <li>Phishing campaigns have evolved alongside the pandemic, with the latest observed themes being vaccine-related topics.</li> <li>Users should remain cautious of possible phishing attacks via email, text messages (SMS), or just click through search results.</li> </ul> <h2>Overview</h2> <p>Threat actors change and adapt their campaigns to mirror themes prevalent in the public eye. When they leverage high-urgency trends, their success levels rise. Since the beginning of the pandemic, Anomali has focused resources to detect malicious cyber campaigns using COVID-19 themes. In this blog, Anomali Threat Research presents several malicious samples that represent simple tactics, techniques, and procedures (TTPs) used by actors in COVID-themed malspam campaigns. Less-sophisticated threat actors can be easier to monitor and block if the TTPs utilized by the actors are well known.</p> <h2>New Discoveries</h2> <p>The majority of this research centers on analysis of known threat actors and indicators of compromise (IOCs). There are several samples that we believe are newly discovered by our researchers (we haven’t seen them discussed elsewhere). Among these are several malicious PDFs hosted on Amazon Web Services (AWS) and other hosting websites. We discuss this campaign below in the chapter named “2.c. Alternative channel: Online PDF Search Engine Optimization (SEO)”, detailing samples with titles “Adenovirus vector pdf” and “Illinois coronavirus october 15”.</p> <h2>Details</h2> <h3>1. Targeted Supply Chain Attacks</h3> <p>On December 28, 2020, the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) published a notice entitled, “COVID-19 Vaccine-Related Scams and Cyberattacks.”  That report provided evidence of actors conducting scams asking for a fee to provide potential victims with the vaccine sooner than permitted. Furthermore, FinCEN assessed that cybercriminals will likely continue to exploit the COVID-19 pandemic to target financial institutions, vaccine delivery operations, and vaccine manufacture supply chains. FinCEN is aware of ransomware directly targeting vaccine research and has pushed for awareness of these phishing schemes luring victims with fraudulent information about COVID-19 vaccines.<sup>[1]</sup></p> <p>Other threats to vaccine research have been reported by US and European intelligence agencies. In December 2020, threat actors breached the European Medicines Agency (EMA) whilst it was in the COVID-19 vaccine evaluation process. On January 12, 2021, threat actors leaked a portion of the stolen materials with regards to Pfizer/BioNTech vaccine (Figure 1).<sup>[2]</sup> On the same day in an unrelated event, the Director of the National Counterintelligence and Security Center (NCSC), William Evanina, confirmed the existence of threats from China and Russia to disrupt the US coronavirus vaccine supply chain.<sup>[3]</sup></p> <p style="text-align: center;"><em><strong><img alt="Screenshot of the Files in the EMA Vaccine Breach" src="https://cdn.filestackcontent.com/oeDUnqORiOpIn1ng3L9Q"/><br/> Figure 1</strong> – Screenshot of the Files in the EMA Vaccine Breach</em></p> <p>The publication of the EMA vaccine breach on RaidForums was taken down by forum administrators only to resurface on other platforms. Later, the EMA claimed that at least some of the leaked correspondence had “been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.”<sup>[4]</sup></p> <h3>2. Non-targeted Adoption by Phishing Campaigns</h3> <p>Below are three examples of COVID-19 vaccine-related phishing campaigns utilizing different delivery methods: email, SMS, and search engine traffic.  As COVID-19 vaccination is a newsworthy topic, it would be consistent with observed activity for some threat actors to switch from previously used topics to COVID-19 to increase the likelihood of tricking victims into self-infection with malware.<sup>[5]</sup></p> <h4>2.a. Typical Phishing Scenario: Vaccine and DHL</h4> <p>In December 2020, actors using the email address  “smtp-fpcoh@tomlinfuneralsupply[.]com” were sending phishing emails with various topics that included:</p> <p style="text-align: center;">“<em>Subject: DHL shipping document.</em>”</p> <p>In January 2021, the same actors were detected by Proofpoint adding the COVID-19 vaccine theme to their DHL phishing (Figure 2):</p> <p style="text-align: center;">“<em>Subject: COVID-19 vaccine distribution- Re-confirm your delivery address.</em>”<sup>[6]</sup></p> <p style="text-align: center;"><em><strong><img alt="COVID-19 Vaccine DHL Phishing Email" src="https://cdn.filestackcontent.com/RmXSdxHiT9uI6HeelwTw"/><br/> Figure 2</strong> - COVID-19 Vaccine DHL Phishing Email</em></p> <p>They also included, “/covid_19_vaccine_delivery/” in the phishing page’s URL. (Figure 3)</p> <p style="text-align: center;"><em><strong><img alt="COVID-19 Vaccine DHL Phishing Page Auto-Fills Victim’s Email" src="https://cdn.filestackcontent.com/qTwCGUwRqS4MhFNyOAXv"/><br/> Figure 3</strong> - COVID-19 Vaccine DHL Phishing Page Auto-Fills Victim’s Email</em></p> <h4>2.b. Alternative channel: Smishing and NHS</h4> <p>While phishing attempts are most commonly observed through emails another common attack vector is through SMS. In the last week of December 2020 in the United Kingdom, a phishing campaign was observed wherein targeted individuals received a phishing link in a message sent to their phones (Figure 4).<sup>[7]</sup></p> <p style="text-align: center;"><em><strong><img alt="Vaccine-Themed SMS with a Phishing Link" src="https://cdn.filestackcontent.com/GLJG5VhZSZue3OfDNsNa"/><br/> Figure 4</strong> - Vaccine-Themed SMS with a Phishing Link</em></p> <p>The linked phishing page (uk-application-form[.]com) asked users to provide banking information under the pretense of health officials identifying a patient (Figure 5). As of the publication of this paper that website has been and remains offline.</p> <p style="text-align: center;"><em><strong><img alt="Phishing Site Spoofing NHS and Asking for Debit/Credit Card Information" src="https://cdn.filestackcontent.com/vPNA53FVS7mexluG3Yp2"/><br/> Figure 5</strong> - Phishing Site Spoofing NHS and Asking for Debit/Credit Card Information</em></p> <h4>2.c. Alternative channel: Online PDF Search Engine Optimization (SEO)</h4> <p>Threat actors use a variety of malicious documents, in addition to other methods, in attempts to distribute malware or steal information. In addition, some actors will automate the creation of malicious documents - through the scraping of news, corporate, and other websites - for relevant contextual information that increases their chances of appearing legitimate.</p> <p>As a part of this research, we recently analyzed a number of PDF files associated with an automated attack campaign. In this analysis, when we opened the file it displayed a basic captcha shown in Figure 6. Scrolling down the PDF, we found a blurb of text, including various popular keywords, that appeared to have been scraped off the Internet. This likely indicates the low-sophistication of the actors and process behind the file’s creation. At the end of these PDF files, there were clickable links to other malicious PDFs by the same actors.</p> <p>Malicious files such as these PDFs have been observed in the wild on a large-scale. They are often hosted on cloud services such as Amazon Web Services or upload sites including but not limited to weebly[.]com and strikinglycdn[.]com. For example, one such PDF is talking about the “clinical trial of its Ad5-based COVID-19 vaccine”.  It has md5 hash de56cbee83eafb1ee4f6ff1fa38c696e and is hosted on Amazon Web Services at hxxps://s3.amazonaws[.]com/zonivezada/adenovirus_vector.pdf (Figure 6).</p> <p style="text-align: center;"><em><strong><img alt="Malicious “Adenovirus vector” PDF: Captcha-Like Prompt" src="https://cdn.filestackcontent.com/I4iMud3RQxyLlMZxfWzG"/><br/> Figure 6</strong> - Malicious “Adenovirus vector” PDF: Captcha-Like Prompt</em></p> <p>If the captcha image or surrounding area is clicked by a user, it triggers a URL opening and a series of conditional redirects leading to spam pages or a malware payload (Figure 7).</p> <p style="text-align: center;"><em><strong><img alt="Redirecting to .EXE Payload" src="https://cdn.filestackcontent.com/smN6jTBbT0mRv0N4Zjve"/><br/> Figure 7 </strong>- Redirecting to .EXE Payload</em></p> <p>The malicious PDF uses COVID-19 vaccine-related metadata:</p> <p style="text-align: center;"><em>/Subject (Adenovirus vector pdf. Credit: CanSino Biologics CanSino Biologics began a clinical trial of its Ad5-based COVID-19 vaccine)</em></p> <p>And the initial observed URL before multiple redirects to the malicious executable payload was:</p> <p style="text-align: center;"><em>hxxps://ttraff[.]cc/aws?keyword=adenovirus+vector+pdf</em></p> <p>Several malicious domains, URLs, and PDF hashes involved in this campaign are listed at the end of this report. Some URLs, such as traffnew[.]ru/wb?keyword=illinois%20coronavirus%20october%2015, even include vaccine keywords. Other samples utilize vaccine keywords as part of the generic scraped text in the middle of the PDF document.</p> <h2>Recommendations </h2> <ul> <li>Use caution when offered vaccine-related information or services from an unknown source</li> <li>Monitor for fake COVID-19-tracing apps, including those previously reported on by Anomali<sup>[8]</sup></li> <li>Take extra care when a PDF MS Office document contains a captcha, as this is a strong indicator of risk within that document</li> <li>Emails addressed in an overly formal manner (“Dear Sir” or “Dear Madam,” for instance) or with language that appears to be a strained form of English should be considered suspicious</li> <li>Inspect the sending email address in the header to ensure the address matches with the purported sender. For example, if the name says “DHL Express” but the sending domain is a totally different company (smtp-fpcoh@tomlinfuneralsupply[.]com), that would be a red flag</li> </ul> <h2>IOCs</h2> <p>uk-application-form[.]com<br/> thithoal[.]com<br/> productmusics[.]com<br/> ttraff[.]cc<br/> trafficel[.]ru<br/> traffnew[.]ru<br/> cctraff[.]ru<br/> gettraf[.]ru</p> <p>hxxps://traffnew[.]ru/wb?keyword=illinois%20coronavirus%20october%2015<br/> hxxps://ttraff[.]cc/aws?keyword=adenovirus+vector+pdf<br/> hxxp://putrajayagemilang[.]com/covid_19_vaccine_delivery/dh<br/> hxxp://putrajayagemilang[.]com/covid_19_vaccine_delivery/dh?lo=dmVydHJpZWJAaGVpbi5ldQ<br/> hxxps://robotcheckion[.]online/?p=mjtdkyjxmu5gi3bpgi4dqnru&amp;sub1=aws&amp;sub3=14vnqgojhe60&amp;sub4=adenovirus+vector+pdf<br/> hxxps://s3.amazonaws[.]com/zonivezada/adenovirus_vector.pdf<br/> hxxps://situnege.weebly[.]com/uploads/1/3/4/5/134578036/jetatugatuxifu.pdf</p> <p>de56cbee83eafb1ee4f6ff1fa38c696e<br/> 9e719a17220c4d93818c356acf9aac13<br/> 070af4c8b6dec6ec5253c217169b7fd7<br/> 72dc2b505d79acc243474d455388d306<br/> 86d64653b44668230032ce393f2a05a4<br/> 55482110d6874042319c01c03f872d1b<br/> 603cecc32e58d46fb8dbe2d834ba1f25<br/> cecb7a2829c0ab8abf25753058c25a99<br/> 88a23a328868b1515fbc9ad27d7bd674<br/> 24fc39e0403e0909a8135e5c3e10f85f<br/> d07d3c112e861fa8b7709537431d6191<br/> 564c70749f6541e770e8e1697bae7974</p> <p>smtp-fpcoh@tomlinfuneralsupply.com</p> <p>For more indicators, ThreatStream users can add our custom COVID-19 dashboard:</p> <p style="text-align: center;"><em><strong><img alt="Adding Custom Dashboard in ThreatStream" src="https://cdn.filestackcontent.com/SJWrIXnnTaePazAFLVNn"/><br/> Figure 8</strong> -  Adding Custom Dashboard in ThreatStream</em></p> <p>ThreatStream / Dashboard/ + Add Dashboard / Add Existing / COVID-19 Indicators / Add.<sup>[9]</sup></p> <h2>Endnotes</h2> <p><sup>[1]</sup>  FinCEN, Notice FIN-2020-NTC4 “COVID-19 Vaccine-Related Scams and Cyberattacks,” FinCEN COVID-19-Related Notices, accessed December 30, 2020, published December 28, 2020, https://www.fincen.gov/sites/default/files/shared/COVID-19%20Vaccine%20Notice%20508.pdf.</p> <p><sup>[2]</sup> European Medicines Agency, “Cyberattack on EMA - update 4,” News, accessed January 20, 2021, published January 12, 2021, https://www.ema.europa.eu/en/news/cyberattack-ema-update-4.</p> <p><sup>[3]</sup> Jonathan Landay, “U.S. counter-intelligence chief worried about China, Russia threats to vaccine supply chain,” Reuters, accessed January 13, 2021, published January 12, 2021, reuters.com/article/health-coronavirus-vaccine-threats/update-2-us-counter-intelligence-chief-worried-about-china-russia-threats-to-vaccine-supply-chain-idUSL1N2JN2FW.</p> <p><sup>[4]</sup> European Medicines Agency, “Cyberattack on EMA - update 5,” News, accessed January 20, 2021, published January 15, 2021, https://www.ema.europa.eu/en/news/cyberattack-ema-update-5.</p> <p><sup>[5]</sup> Roberto Sanchez, “COVID-19 Attacks – Defending Your Organization,”  Anomali Blog, accessed January 21, 2021, published October 15, 2020, https://www.anomali.com/blog/covid-19-attacks-defending-your-organization.</p> <p><sup>[6]</sup> The Proofpoint Threat Research Team, “Attackers Use COVID-19 Vaccine Lures to Spread Malware, Phishing, and BEC,” Proofpoint, accessed January 15, 2021, published January 14, 2021, https://www.proofpoint.com/us/blog/threat-insight/attackers-use-covid-19-vaccine-lures-spread-malware-phishing-and-bec.</p> <p><sup>[7]</sup> Spotted Torquay. scam report, Facebook group, accessed January 12, 2021, published December 29, 2020, https://www.facebook.com/285306074936244/posts/please-post-this-is-a-scam-this-message-was-just-sent-to-me-when-you-click-on-it/2168529156613917/.</p> <p><sup>[8]</sup> Anomali Threat Research, “Anomali Threat Research Identifies Fake COVID-19 Contact Tracing Apps Used to Download Malware that Monitors Devices, Steals Personal Data,” Anomali Blog, accessed January 21, 2021, published June 10, 2020, </p> <p>https://www.anomali.com/blog/anomali-threat-research-identifies-fake-covid-19-contact-tracing-apps-used-to-monitor-devices-steal-personal-data.</p> <p><sup>[9]</sup> Anomali, ThreatStream Dashboard, https://ui.threatstream.com/dashboard?type=overview.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar