Any catastrophe is an opportunity for cybercriminals, and coronavirus/COVID-19 is no exception. Given public concern about the pandemic, it is no wonder that recent reports have highlighted a number of COVID-19 threats. There are thousands of dodgy domains referencing coronavirus, COVID-19, Wuhan virus, hydroxychloroquine, and so forth that have been registered. This proliferation provides a challenge for defenders and the threat intel community in sifting through the IOC chaff to identify true threats.
The HYAS Intelligence team regularly tracks adversaries, and the COVID-19 pandemic has become fertile territory for both nation-state and financially motivated adversaries, including the team we investigated. In addition to their own direct campaigns, this particular actor group also provides various fraud-as-a-service offerings to other adversaries, helping facilitate and instantly scale the campaigns of other cybercriminals.
Operating very much as a business, they have horizontally integrated services including bulletproof hosting and large scale SMS services to further support their customers’ malicious activity. The HYAS Intelligence team has uncovered around 40 different accounts used by the principals of this group, some belonging to carding or crime forums and others to legitimate services. The COVID-19 themed campaign was a departure from this group’s significant focus on attacks against the UK’s HM Revenue and Customs (the UK government tax, payments and customs authority) and ongoing attempts related to a number of UK wireless providers.
In this campaign, the actor group delivered tens of thousands of messages that included a phishing URL soliciting donations to the “PayPal Giving Fund” purportedly benefiting the US Centers for Disease Control and Prevention (CDC). The objective of the attack was to collect banking credentials and credit card data, along with supporting victim information and billing details to be resold on criminal forums to a host of other actors. The phishing kit and other indicators enabled HYAS to tie seemingly disparate infrastructure and tools to a single group of threat actors. We also gathered evidence about how the perpetrators moved their illicit profits.
Threats capitalizing on COVID-19 events are particularly infuriating; it is despicable that someone might use a global calamity to profit criminally. While we see a lot of campaigns that are heinous in one way or another, this one was particularly repugnant and led us to take a particular interest in this actor group.
As enterprise threat analysts know all too well, threat actors typically target the same enterprise targets. By understanding your adversaries, you can better enumerate their infrastructure and track as it evolves. This intelligence puts you in a much stronger position to mitigate risk and the damage they try to inflict. HYAS Insight provides the threat and attribution intelligence to stay ahead of your adversaries. Please feel free to reach out if you’d like to learn how we can help you track and identify your adversaries so you can disrupt them.