Business email compromise attackers from Nigeria were discovered targeting COVID-19 research bodies, pandemic response services and government healthcare institutions to obtain bogus wire transfer payments as well as install malware.
The Unit 42 team researchers of Palo Alto Networks identified the attacks connected to a cybercriminal group named SilverTerrier. SilverTerrier threat actors were extremely active particularly last year. Since 2014, the group had conducted around 2.1 million BEC attacks. Last year, SilverTerrier carried out 92,739 attacks every month. June had the highest activities with 245,637 attacks.
The group was identified exploiting vulnerability CVE-2017-11882 in Microsoft Office along with malware installation, though most often the group uses spear phishing emails to pin individuals from the finance department. Using standard phishing baits such as phony invoices and notice of payment advice, recipients are fooled into opening malicious email attachments that trigger malware installation. SilverTerrier utilizes several variants of malware including information stealers (PredatorPain, Lokibot, and Pony) and remote administration tools to preserve persistent access to breached systems. The gang uses malware for theft of sensitive information and access to payroll systems and bank accounts. BEC attacks are likewise done to get fraudulent wire transfer payments.
Unit 42 researchers have observed three of the group’s threat actors in the past 3 months so they know who performed the 10 COVID-19 related malware campaigns on healthcare organizations responding to COVID-19 cases in Italy, Australia, Canada, the U.S and the U.K.
The most current targets were local and regional governments, government medical organizations, insurance companies, research companies, medical publishing businesses, and universities with medical courses and medical facilities. The researchers tracked 170 unique phishing emails, including some that were tied up with personal protective equipment and face masks supplies.
According to Palo Alto Networks, 2019 had 172% more SilverTerrier attacks and the attacks will probably not decrease in 2020. Consequently, government agencies, public utility providers, medical and insurance providers, and universities with medical courses must be more careful with COVID-19-related email messages with attached files. Since the attacks are generally carried out through email, the top security measure is the training of employees to know which are spear-phishing emails. Then, an advanced spam filtering software must be used to prevent the receipt of spam in inboxes. It is also important to monitor for CVE-2017-11882 Microsoft Office vulnerability and employ patches right away.