BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Hackers Attack Microsoft Windows Users: Dangerous Threat Group Exploits ‘COVID-19 Fear’

Following
This article is more than 4 years old.

Following reports that China has been caught hacking foreign governments with specially crafted COVID-19 Microsoft Office documents, here comes proof this has become a thing. If you’re in the spy business, nothing beats a crisis—it’s what Malwarebytes describes as “a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria.

As I reported last week, COVID-19 confusion among the general public is amplified within government departments, providing the perfect opening for threat actors to push fake communications to stressed officials. There is no more business as usual, and so Microsoft Office attachments that might usually arouse suspicion now get through. Headline an email “COVID-19” or “Coronavirus,” spoof the sender to be a friendly government department, and you have a chance to slip the security net.

The latest government campaign to come to light has been attributed to a hacking group sponsored by the Pakistani government, one targeting India for information that may provide military advantage in the conflict between the two nations. First disclosed by the Red Drip team on March 12, the attack spoofs messages from the Indian government to phish for information that opens India to attack.

This is the same basic risk as we’re seeing more broadly. Millions of us are now receiving malicious coronavirus emails, and on March 16, the U.K.’s National Cyber Security Centre, part of spy agency GCHQ, warned the public “that criminals are exploiting coronavirus online—as cyber criminals seek to exploit COVID-19.”

"Techniques seen since the start of the year,” NCSC says, “include bogus emails with links claiming to have important updates, which once clicked on lead to devices being infected. These ‘phishing’ attempts have been seen in several countries and can lead to loss of money and sensitive data.”

This was exactly the method deployed by Pakistan in its reported attack on India, attributed to APT36, a group described by Malwarebytes as “a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India.” The latest Microsoft Windows attack “is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-0199,” which “allows remote attackers to execute arbitrary code via a crafted document.”

According to Malwarebytes’ blogpost, the APT36 attack planted the Crimson RAT (remote access trojan) onto infected Windows devices. The RAT then searched for specific information types which it returned to its C&C server. These included credentials pulled from browsers, lists of drives, directories and processes on the infected machine, details of running antivirus software, even screenshots.

Malwarebytes told me that APT36 “is intent on collecting sensitive information to support Pakistani military and diplomatic interests—their goal is to steal data such as army strategy documents, tactical documents and army training documents. In the past, they also were able to steal personal data such as passport scan and personal identification documents, text messages and contact details. This information can clearly be used for second stage attacks.”

While Pakistan is not the world’s most sophisticated cyber actor, there was enough subterfuge here to enable the attack to hit its target. According to Malwarebytes, “the RAT usually pretends to be a legitimate Windows related application—for example, in this campaign the actor used a Microsoft Windows icon. In some other campaigns, the actor signed its RAT with fake Microsoft certificates.”

“Profiting from global health concerns, natural disasters, and other extreme weather events is nothing new for cybercriminals,” Malwarebytes warns. And now with reports that first China and now Pakistan have already been caught exploiting COVID-19, a pandemic that may be with us a year, all governments will be on alert for malicious attacks masquerading as health-related advisories.

It goes without saying that the rest of us should do the same.

Follow me on Twitter or LinkedIn