Threat Actors Capitalize on COVID-19 Vaccine News to Run Campaigns, AWS Abused to Host Malicious PDFs | Anomali

Threat Actors Capitalize on COVID-19 Vaccine News to Run Campaigns, AWS Abused to Host Malicious PDFs

Key Findings

  • Malicious actors have targeted the vaccine supply chain and leaked materials stolen from the European Medicines Agency (EMA).
  • Phishing campaigns have evolved alongside the pandemic, with the latest observed themes being vaccine-related topics.
  • Users should remain cautious of possible phishing attacks via email, text messages (SMS), or just click through search results.

Overview

Threat actors change and adapt their campaigns to mirror themes prevalent in the public eye. When they leverage high-urgency trends, their success levels rise. Since the beginning of the pandemic, Anomali has focused resources to detect malicious cyber campaigns using COVID-19 themes. In this blog, Anomali Threat Research presents several malicious samples that represent simple tactics, techniques, and procedures (TTPs) used by actors in COVID-themed malspam campaigns. Less-sophisticated threat actors can be easier to monitor and block if the TTPs utilized by the actors are well known.

New Discoveries

The majority of this research centers on analysis of known threat actors and indicators of compromise (IOCs). There are several samples that we believe are newly discovered by our researchers (we haven’t seen them discussed elsewhere). Among these are several malicious PDFs hosted on Amazon Web Services (AWS) and other hosting websites. We discuss this campaign below in the chapter named “2.c. Alternative channel: Online PDF Search Engine Optimization (SEO)”, detailing samples with titles “Adenovirus vector pdf” and “Illinois coronavirus october 15”.

Details

1. Targeted Supply Chain Attacks

On December 28, 2020, the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) published a notice entitled, “COVID-19 Vaccine-Related Scams and Cyberattacks.”  That report provided evidence of actors conducting scams asking for a fee to provide potential victims with the vaccine sooner than permitted. Furthermore, FinCEN assessed that cybercriminals will likely continue to exploit the COVID-19 pandemic to target financial institutions, vaccine delivery operations, and vaccine manufacture supply chains. FinCEN is aware of ransomware directly targeting vaccine research and has pushed for awareness of these phishing schemes luring victims with fraudulent information about COVID-19 vaccines.[1]

Other threats to vaccine research have been reported by US and European intelligence agencies. In December 2020, threat actors breached the European Medicines Agency (EMA) whilst it was in the COVID-19 vaccine evaluation process. On January 12, 2021, threat actors leaked a portion of the stolen materials with regards to Pfizer/BioNTech vaccine (Figure 1).[2] On the same day in an unrelated event, the Director of the National Counterintelligence and Security Center (NCSC), William Evanina, confirmed the existence of threats from China and Russia to disrupt the US coronavirus vaccine supply chain.[3]

Screenshot of the Files in the EMA Vaccine Breach
Figure 1
– Screenshot of the Files in the EMA Vaccine Breach

The publication of the EMA vaccine breach on RaidForums was taken down by forum administrators only to resurface on other platforms. Later, the EMA claimed that at least some of the leaked correspondence had “been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.”[4]

2. Non-targeted Adoption by Phishing Campaigns

Below are three examples of COVID-19 vaccine-related phishing campaigns utilizing different delivery methods: email, SMS, and search engine traffic.  As COVID-19 vaccination is a newsworthy topic, it would be consistent with observed activity for some threat actors to switch from previously used topics to COVID-19 to increase the likelihood of tricking victims into self-infection with malware.[5]

2.a. Typical Phishing Scenario: Vaccine and DHL

In December 2020, actors using the email address  “smtp-fpcoh@tomlinfuneralsupply[.]com” were sending phishing emails with various topics that included:

Subject: DHL shipping document.

In January 2021, the same actors were detected by Proofpoint adding the COVID-19 vaccine theme to their DHL phishing (Figure 2):

Subject: COVID-19 vaccine distribution- Re-confirm your delivery address.[6]

COVID-19 Vaccine DHL Phishing Email
Figure 2
- COVID-19 Vaccine DHL Phishing Email

They also included, “/covid_19_vaccine_delivery/” in the phishing page’s URL. (Figure 3)

COVID-19 Vaccine DHL Phishing Page Auto-Fills Victim’s Email
Figure 3
- COVID-19 Vaccine DHL Phishing Page Auto-Fills Victim’s Email

2.b. Alternative channel: Smishing and NHS

While phishing attempts are most commonly observed through emails another common attack vector is through SMS. In the last week of December 2020 in the United Kingdom, a phishing campaign was observed wherein targeted individuals received a phishing link in a message sent to their phones (Figure 4).[7]

Vaccine-Themed SMS with a Phishing Link
Figure 4
- Vaccine-Themed SMS with a Phishing Link

The linked phishing page (uk-application-form[.]com) asked users to provide banking information under the pretense of health officials identifying a patient (Figure 5). As of the publication of this paper that website has been and remains offline.

Phishing Site Spoofing NHS and Asking for Debit/Credit Card Information
Figure 5
- Phishing Site Spoofing NHS and Asking for Debit/Credit Card Information

2.c. Alternative channel: Online PDF Search Engine Optimization (SEO)

Threat actors use a variety of malicious documents, in addition to other methods, in attempts to distribute malware or steal information. In addition, some actors will automate the creation of malicious documents - through the scraping of news, corporate, and other websites - for relevant contextual information that increases their chances of appearing legitimate.

As a part of this research, we recently analyzed a number of PDF files associated with an automated attack campaign. In this analysis, when we opened the file it displayed a basic captcha shown in Figure 6. Scrolling down the PDF, we found a blurb of text, including various popular keywords, that appeared to have been scraped off the Internet. This likely indicates the low-sophistication of the actors and process behind the file’s creation. At the end of these PDF files, there were clickable links to other malicious PDFs by the same actors.

Malicious files such as these PDFs have been observed in the wild on a large-scale. They are often hosted on cloud services such as Amazon Web Services or upload sites including but not limited to weebly[.]com and strikinglycdn[.]com. For example, one such PDF is talking about the “clinical trial of its Ad5-based COVID-19 vaccine”.  It has md5 hash de56cbee83eafb1ee4f6ff1fa38c696e and is hosted on Amazon Web Services at hxxps://s3.amazonaws[.]com/zonivezada/adenovirus_vector.pdf (Figure 6).

Malicious “Adenovirus vector” PDF: Captcha-Like Prompt
Figure 6
- Malicious “Adenovirus vector” PDF: Captcha-Like Prompt

If the captcha image or surrounding area is clicked by a user, it triggers a URL opening and a series of conditional redirects leading to spam pages or a malware payload (Figure 7).

Redirecting to .EXE Payload
Figure 7
- Redirecting to .EXE Payload

The malicious PDF uses COVID-19 vaccine-related metadata:

/Subject (Adenovirus vector pdf. Credit: CanSino Biologics CanSino Biologics began a clinical trial of its Ad5-based COVID-19 vaccine)

And the initial observed URL before multiple redirects to the malicious executable payload was:

hxxps://ttraff[.]cc/aws?keyword=adenovirus+vector+pdf

Several malicious domains, URLs, and PDF hashes involved in this campaign are listed at the end of this report. Some URLs, such as traffnew[.]ru/wb?keyword=illinois%20coronavirus%20october%2015, even include vaccine keywords. Other samples utilize vaccine keywords as part of the generic scraped text in the middle of the PDF document.

Recommendations 

  • Use caution when offered vaccine-related information or services from an unknown source
  • Monitor for fake COVID-19-tracing apps, including those previously reported on by Anomali[8]
  • Take extra care when a PDF MS Office document contains a captcha, as this is a strong indicator of risk within that document
  • Emails addressed in an overly formal manner (“Dear Sir” or “Dear Madam,” for instance) or with language that appears to be a strained form of English should be considered suspicious
  • Inspect the sending email address in the header to ensure the address matches with the purported sender. For example, if the name says “DHL Express” but the sending domain is a totally different company (smtp-fpcoh@tomlinfuneralsupply[.]com), that would be a red flag

IOCs

uk-application-form[.]com
thithoal[.]com
productmusics[.]com
ttraff[.]cc
trafficel[.]ru
traffnew[.]ru
cctraff[.]ru
gettraf[.]ru

hxxps://traffnew[.]ru/wb?keyword=illinois%20coronavirus%20october%2015
hxxps://ttraff[.]cc/aws?keyword=adenovirus+vector+pdf
hxxp://putrajayagemilang[.]com/covid_19_vaccine_delivery/dh
hxxp://putrajayagemilang[.]com/covid_19_vaccine_delivery/dh?lo=dmVydHJpZWJAaGVpbi5ldQ
hxxps://robotcheckion[.]online/?p=mjtdkyjxmu5gi3bpgi4dqnru&sub1=aws&sub3=14vnqgojhe60&sub4=adenovirus+vector+pdf
hxxps://s3.amazonaws[.]com/zonivezada/adenovirus_vector.pdf
hxxps://situnege.weebly[.]com/uploads/1/3/4/5/134578036/jetatugatuxifu.pdf

de56cbee83eafb1ee4f6ff1fa38c696e
9e719a17220c4d93818c356acf9aac13
070af4c8b6dec6ec5253c217169b7fd7
72dc2b505d79acc243474d455388d306
86d64653b44668230032ce393f2a05a4
55482110d6874042319c01c03f872d1b
603cecc32e58d46fb8dbe2d834ba1f25
cecb7a2829c0ab8abf25753058c25a99
88a23a328868b1515fbc9ad27d7bd674
24fc39e0403e0909a8135e5c3e10f85f
d07d3c112e861fa8b7709537431d6191
564c70749f6541e770e8e1697bae7974

smtp-fpcoh@tomlinfuneralsupply.com

For more indicators, ThreatStream users can add our custom COVID-19 dashboard:

Adding Custom Dashboard in ThreatStream
Figure 8
-  Adding Custom Dashboard in ThreatStream

ThreatStream / Dashboard/ + Add Dashboard / Add Existing / COVID-19 Indicators / Add.[9]

Endnotes

[1]  FinCEN, Notice FIN-2020-NTC4 “COVID-19 Vaccine-Related Scams and Cyberattacks,” FinCEN COVID-19-Related Notices, accessed December 30, 2020, published December 28, 2020, https://www.fincen.gov/sites/default/files/shared/COVID-19%20Vaccine%20Notice%20508.pdf.

[2] European Medicines Agency, “Cyberattack on EMA - update 4,” News, accessed January 20, 2021, published January 12, 2021, https://www.ema.europa.eu/en/news/cyberattack-ema-update-4.

[3] Jonathan Landay, “U.S. counter-intelligence chief worried about China, Russia threats to vaccine supply chain,” Reuters, accessed January 13, 2021, published January 12, 2021, reuters.com/article/health-coronavirus-vaccine-threats/update-2-us-counter-intelligence-chief-worried-about-china-russia-threats-to-vaccine-supply-chain-idUSL1N2JN2FW.

[4] European Medicines Agency, “Cyberattack on EMA - update 5,” News, accessed January 20, 2021, published January 15, 2021, https://www.ema.europa.eu/en/news/cyberattack-ema-update-5.

[5] Roberto Sanchez, “COVID-19 Attacks – Defending Your Organization,”  Anomali Blog, accessed January 21, 2021, published October 15, 2020, https://www.anomali.com/blog/covid-19-attacks-defending-your-organization.

[6] The Proofpoint Threat Research Team, “Attackers Use COVID-19 Vaccine Lures to Spread Malware, Phishing, and BEC,” Proofpoint, accessed January 15, 2021, published January 14, 2021, https://www.proofpoint.com/us/blog/threat-insight/attackers-use-covid-19-vaccine-lures-spread-malware-phishing-and-bec.

[7] Spotted Torquay. scam report, Facebook group, accessed January 12, 2021, published December 29, 2020, https://www.facebook.com/285306074936244/posts/please-post-this-is-a-scam-this-message-was-just-sent-to-me-when-you-click-on-it/2168529156613917/.

[8] Anomali Threat Research, “Anomali Threat Research Identifies Fake COVID-19 Contact Tracing Apps Used to Download Malware that Monitors Devices, Steals Personal Data,” Anomali Blog, accessed January 21, 2021, published June 10, 2020, 

https://www.anomali.com/blog/anomali-threat-research-identifies-fake-covid-19-contact-tracing-apps-used-to-monitor-devices-steal-personal-data.

[9] Anomali, ThreatStream Dashboard, https://ui.threatstream.com/dashboard?type=overview.

Subscribe to the Anomali Newsletter

Get the latest Anomali updates and cybersecurity news straight to your inbox each month.

Subscribe Now