By Dylan Duncan and Max Gannon
Threat actors were quick to leverage the news that President Donald Trump tested positive for COVID-19. Cofense Intelligence has observed a recent COVID-19-themed campaign that successfully reached users in enterprise environments. Taking advantage of recent headlines and the upcoming U.S. election, this campaign makes use of secure email gateway (SEG) evasion tactics and anti-analysis techniques to deliver advanced malware to end users protected by leading SEGs. The threat actors targeted multiple industries, reaching users across a variety of sectors in the United States and Europe.
The emails entice recipients by leveraging the president’s health status mere weeks before the election and claiming to provide “secret” information on COVID-19. Threat actors have created multiple phishing emails based on these themes, similar to Figures 1 and 2.
Figure 1: Phishing email leveraging the president’s medical condition.
Figure 2: Phishing email leveraging COVID-19.
Anti-analysis Malware in “Secure” Environments
These phishing emails deliver embedded Google Docs URLs that are often permitted by SEGs. The URL leads to a document with another link rather than directly downloading malicious content. While Google is quick to remove directly hosted malware, it is often much slower to remove content that provides a link to malicious content. The Google doc (Figure 3) displays an image of the Google logo with a hyperlink that redirects to a Google wrapped payload URL. This wrapping is important, as threat actors can use it to prevent analysts from downloading malware directly from the threat actor-controlled page. If certain conditions are met, the payload URL then downloads a password-protected XLS file. This password protection ensures that, without access to the original email, any downloaded files are not revealed to reverse engineers. The password-protected Microsoft Excel Worksheet abuses an organization’s reliance on Microsoft Excel macros to download and execute BazarBackdoor or ZLoader once macros are enabled.
The choice between BazarBackdoor or ZLoader is determined by the initial link embedded in the email. Both of these malware families feature extensive anti-analysis functionality. BazarBackdoor is a stealthy malware downloader commonly affiliated with the developers of TrickBot. It uses specialized network communications to avoid detection, and to contact its command and control locations. ZLoader is a banking trojan that uses web injects to steal credentials and sensitive information.
Figure 3: Google Document from the embedded URLs.
Threat actors continue to adapt phishing campaigns to reflect current–affairs themes, and turn to the tactics, techniques and procedures that yield success in delivering phish to targets in environments protected by SEGs. Once a phishing email successfully reaches an inbox, the human factor is the final defense against compromise. Cofense Intelligence will continue to report on phishing campaigns reaching end users and the tactics, techniques and procedures that evade modern SEGs.