• United States



Contributing Writer

Beware malware-laden emails offering COVID-19 information, US Secret Service warns

News Analysis
Apr 09, 20206 mins

Many of the emails take advantage of an unpatched, decades-old Microsoft Office vulnerability to deliver malware. Advice: Patch now.

A white speech bubble with an email icon indicating a new unread message against a viral background.
Credit: MicroStockHub / BlackJack3D / Getty Images

As the coronavirus crisis continues to capture everyone’s attention, cybercriminals stay busy running scams and delivering malware using the attention-getting virus as a lure. The threats from the scammers and crooks, which began as early as January and continue unabated, range from tricking people out of their financial data to delivering pernicious malware.

Although some scammers use novel techniques to commit their crimes, many schemes rely on tried-and-true phishing methods that exploit unpatched software flaws that sometimes have stayed unfixed for years. On April 1, the US Secret Service (USSS) sent out an information alert, “Fraudulent COVID-19 Emails with Malicious Attachments,” that warns about messages masquerading as COVID-19 status emails  from employers, merchants and other businesses.

The USSS has uncovered attempted attacks that, using these faux alerts, sought to remotely install malware on the infected system to “harvest financial credential, install keyloggers, or lockdown the system with ransomware.” The malicious attachments are usually Microsoft Office or WordPad file types that exploit a now-patched vulnerability in Microsoft Office, according to the alert. However, the Secret Service says that variations exist and attack vectors evolve.

Patch Microsoft Office vulnerability CVE-2017-11882

Mark Coleman, assistant to the special agent in charge at the USSS’s Criminal Investigative Division, tells CSO that the malware spreaders were seeking to exploit the two-decades-old Microsoft Office memory corruption vulnerability CVE-2017-11882, for which Microsoft released a security patch in November 2017. CVE-2017-11882 is a common, and even “prolific” technique for attackers to spread malware, involved in over 600 incidents through the first three quarters of 2019, according to researchers at Cofense.

The Secret Service also said that phishing emails disguised as coming from a hospital, with the recipient notified they might have come in contact with a coronavirus-infected person, also carry malware attached to a downloadable Excel file, which exploits the same Office flaw. “Similar to the fraudulent corporate COVID-19 emails, these were Excel .XLSM files that likely were attempting to exploit the same CVE-2017-11882 Microsoft Office vulnerability,” says Coleman.

The malware can steal login credentials, open shares on the networks, and view all files and folders as well as discover and take cryptocurrency information. A variation on this attack is an email purportedly from the US Department of Health and Human Services (HHS) targeting medical suppliers asking them to provide protective medical equipment from an attached list that contains malware.

The HHS scammers sent emails that contained a .EXE file attachment that carried a .PDF extension prefix in the file name, Coleman says, a technique used to fool the recipients into believing they were opening a PDF file containing a list of needed supplies. Coleman says they think the executable deployed Agent Tesla to the potential victim user, which logs keystrokes and captures credentials. Agent Tesla is a time-tested piece of malware that also exploits CVE-2017-11882. It has been sold to thousands of cybercrooks who pay subscription fees at varied levels to license the software.

Multiple reports of COVID-19 scams

This combination of exploiting an irresistible topic and old and unpatched vulnerabilities is powerful. “It is extremely normal for people that target vulnerabilities to use really old vulnerabilities,” Roger Grimes, a former security specialist at Microsoft and now a data driven defense evangelist at KnowBe4, tells CSO. Around 25% of organizations never get around to applying any given patch after it’s pushed out, he says.

This creates the perfect conditions for madly successful phishing campaigns. Around 80% to 90% of all successful exploits happen because of social engineering, Grimes says, and 20% to 40% of successful exploits happen because of unpatched software. Together they account for 90% of all risks within organizations.

“We’ve seen a 670% increase in phishing in March mostly because of COVID campaigns. It’s amazing how much effort and vigor phishers have,” Grimes says.

Whether using proven or novel methods, scammers and malware purveyors show no signs of slowing down as they piggyback on the fears surrounding coronavirus:

  • Like the Secret Service, the Better Business Bureau received reports of individuals posing as HHS employees using SMS messages to spread word of a supposed online coronavirus test, which in reality led to data-stealing malware.
  • Researchers at KnowBe4 reported the same kind of “you’ve come into contact with a coronavirus-infected person” phishing email that the Secret Service referenced. This phishing campaign delivers malware that serves as a trojan downloader and detected by only a handful of major anti-virus applications.
  • Researchers at IBM X-Force Threat Intelligence identified emails claiming to be sent by the US SBA that appear to be a confirmation email for an application for disaster assistance. Instead, the emails deliver attachments that, when opened, execute Remcos malware that installs a remote access Trojan (RAT).
  • Relatively early on in the coronavirus crisis in Western nations, the UK’s NCSC warned of the creation of phishing campaigns pegged to the coronavirus crisis, saying back in mid-March that cybercriminals were creating phishing landing pages at a rapid clip.

Worldwide crackdown on COVID-19 scammers

Consequently, law enforcement agencies worldwide are vowing to crack down on the criminals riding in on the wave of this deadly disease. US Attorney Offices around the nation have announced their active interest in prosecuting cybercriminals, including the US Attorneys Offices for the Southern District of California and Western District of Louisiana.

Earlier this week, the US Attorney’s Office in South Carolina even formed a “COVID Strike Team” that pulls from a broad group of law-enforcement resources including US Attorney’s Office, federal law enforcement officers from an array of agencies, officers with the South Carolina Law Enforcement Division (SLED), and members of the South Carolina Attorney General’s Office.

Other countries are pushing to prosecute COVID cybercriminals. This week Australia announced that its Signals Directorate is mobilizing its offensive capabilities to bring down any criminals that exploit the COVID-19 crisis.

USSS’s Coleman says that working with local law enforcement is key to nipping these scams in the bud. “As a leading federal agency responsible for investigating complex cyber-enabled fraud schemes and training state and local partners how to do the same, we believe in partnerships which act as a force multiplier,” he says. “By so quickly and frequently disseminating criminal intelligence on real-time threats to the general public and other stakeholders, we are able to reduce the effectiveness and success of these emerging COVID-19 frauds.”

In the meantime, a joint alert from the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued on April 8 regarding the exploitation of COVID-19 by malicious cyber actors offers a series of steps organizations can take to mitigate the risks of these actors causing damage. Regarding the kinds of phishing schemes flagged by the Secret Service, the guidance recommends that organizations: