Content, Content, Phishing

Banking Phishing Campaign Tricks Victims with COVID-19, Family Leave Ruse

Yet more phishers attempting to capitalize on the coronavirus (COVID-19) pandemic have emerged, using the IcedID banking malware to steal money from unsuspecting victims, Juniper Networks’ Threat Labs researchers said in a recent blog post.

IcedID is banking malware that performs man-in-the-browser attacks to steal financial information, monitoring browser activity related to financial transactions. In this case, hackers are luring victims to unwittingly spring loose a set of malicious files attached to emails containing keywords such as COVID-19 and FMLA (Family and Medical Leave Act). The emails are constructed to convince recipients that the documents originate with the U.S. Department of Labor and contain legitimate information.

Earlier versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as .dat files, Paul Kimayong, a Juniper threat researcher, wrote. “This new campaign changes tactics by injecting into msiexec.exe to conceal itself and use full steganography for downloading its modules and configurations.” The infection is set in motion in three stages, the first of which starts with a phishing email harboring a malicious Microsoft Office attachment (FMLAINSTRUCTIONS.doc). When opened, that file executes a second loader whose purpose is to download another IcedID loader. A third stage loader downloads the actual IcedID main module.

As for the email itself, it’s riddled with broken English and typographical errors. Still, similar to other COVID-19 phishing attempts, it contains a seductive call to action, referencing the Families First Coronavirus Response Act that provides paid sick leave or expanded family and medical leave related to COVID-19, and the Family and Medical Leave Act of 1993, which provides unpaid, job-protected leave for specified family and medical reasons. Here's an abridged version of the phishing email:

“Dear employees, The following notice is written to all suitable workers in order to notify of a number of changes that have been constructed in the current FMLA with regards to the latest Coronavirus Response Act.

To ask for leave based on the Family and Medical leave of Act (sic), remember to analyze the files very carefully, get informed about the adjustments that have been created, fill out the requestform (sic) and send to Human Resources until may (sic) 31st, 2020.”

Heavyweight industry and financial services organizations IcedID targets include Amazon, American Express, AT&T, Bank of America, Charles Schwab, Chase, Dell, J.P. Morgan, Verizon, Wells Fargo and others.

“IcedID is a very complex malware and there is no doubt the threat actors behind this are very much capable with constant updates to their arsenal,” Kimayong said.

Other phishers have also tried to capitalize on the pandemic by using bogus gmail accounts to trick businesses in key industries to hand over their Google account credentials. Attackers discovered by Google's security researchers have ensnared individuals with email invitations to sign up for COVID-19 notifications from the World Health Organization. In late April, the Federal Bureau of Investigation said the number of online crimes reported to its Crime Complaint Center had quadrupled to upwards of 4,000 incidents a day since the pandemic began in the U.S.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.