While there are currently upwards of seven cyber threat campaigns centered on SARS-CoV-2 (the virus that causes the illness now known as COVID-19); one stands out from the rest. According to CheckPoint Research (https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/), this campaign is a continuation of previous attacks by the Vicious Panda APT group, with the latest iteration using the threat of the Coronavirus to entice users into falling for the downloader/stager scheme.
Though not particularly novel or intricate, the somewhat complex stager to downloader to dll methodology does have one thing that sets it apart. Vicious Panda is the codename of a Chinese APT group – meaning that the country which saw the first devastating wave of COVID-19 patients, and the first loss of life from the disease, is now using it to disrupt data systems in other parts of the world.
The attack itself is straight-forward. An email hook via a poisoned attachment – in this case a rich text file – is emailed or otherwise delivered to the target. Relying on a known exploit in the Equation Editor component in Windows systems installed with Microsoft Office, the RTF file executes code that performs additional actions on the infected machine. In the case of this campaign, a series of download files (mostly DLL’s) sets up both a persistence factor so that the attack re-launches itself until removed whenever a Microsoft Office app is run; and a Remote Access Trojan (RAT) to allow the attackers to gather details and data from an infected device.
The RAT is the more problematic of the executable components; as in addition to stealing data and user information through screen shots and process dumps, a RAT can be configured to download and launch additional executable code. While the initial attack is independently dangerous, this ability to persist beyond reboot and to download more attack code at any time makes this significantly more worrisome.
As for mitigation against this threat, while the actual downloaded vector is new, the methods and techniques used to successfully land the attack are not. Updates and patches exist for Windows to defend against the Equation Editor exploits, which have existed since 2017 but have remained unpatched on many Windows devices. Patching against CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 will limit the ability of the initial infection vector (the poisoned RTF file) to land, and thereby defend the device itself. It’s recommended that systems be patched as soon as possible if the fixes for these three CVE’s have not yet been applied.
While the actual attack binaries do appear to be new, they function with the same effect as most RAT’s; so monitoring for unusual activity around screenshots, file manipulation, data exfiltration, and unknown process initiation can identify that a device is infected. Any device that exhibits these unusual behavior patterns should be temporarily isolated until further investigation can be performed to confirm infection or identification of the reason for the unusual operations.
Leveraging the COVID-19 fears of the world is despicable. Threat groups have never been known for their reserve or decency, but launching attacks that play off the panic of the world right now is unacceptable beyond belief. That it is coming from the country that experienced the first outbreak is even more bewildering and disappointing. I urge all threat groups to not make the situation worse by playing off the fears of an international pandemic crisis.
It’s doubtful that we will see an end to attacks taking advantage of national and international crisis events. As disheartening as that it, we must face reality and realize that any opportunity can and will be used to spread malware that disrupts and/or destroys businesses. This example, though, is extraordinarily despicable for two reasons: First, the disruption of many businesses during this specific crisis can, and will, lead to the loss of lives. Disruption of a single manufacturer or medical equipment or devices will make the already devastating shortage of masks, sanitizers, ventilators, and other vital healthcare equipment so much worse. People who might have lived will die, and their blood will be directly on the hands of these threat actors. Secondly, the apparent origination of this specific threat from an Advanced Persistent Threat group from China – the first and one of the most significantly impacted countries – is simply baffling. After the loss of life, disruption of business, and overall health impact of this virus; the country that was at the start of the chain of the pandemic should not be weaponizing the fear of that pandemic for furtherance of state-sponsored cyber threat goals.