Hackers Exploits Microsoft Windows Users
Coming after the reports that China has been caught hacking foreign governments with specially crafted COVID-19 Office documents, here’s proof. If you’re in the spy business, nothing beats a crisis as described by Malwarebytes “a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria.”
It was reported earlier that COVID-19 confusion among the general public is amplified within government departments, providing the perfect opening for threat actors to push fake communications to stressed officials.
There is no more business as usual, and so Microsoft Office attachments that might usually arouse suspicion now get through. Headline an email “COVID-19” or “Coronavirus,” spoof the sender to be a friendly government department, and you have a chance to slip the security net.
The latest government campaign to come to light has been attributed to a hacking group sponsored by the Pakistani government, one targeting India for information that may provide a military advantage in the conflict between the two nations.
First disclosed by the Red Drip team on March 12, the attack spoofs messages from the Indian government to phish for information that opens India to attack. Millions of users are now receiving malicious Coronavirus emails, and on March 16, the U.K.’s National Cyber Security Centre, part of spy agency GCHQ, warned the public “of criminals exploiting Coronavirus online as cybercriminals seek to exploit COVID-19”.
NCSC reports that techniques include bogus emails with links claiming to have important updates if clicked on lead to devices being infected. These ‘phishing’ attempts have been seen in several countries and can lead to loss of money and sensitive data.”
According to Malwarebytes, the APT36 (a group described as “a Pakistani state-sponsored threat actor”) attack planted the Crimson RAT (Remote Access Trojan) onto infected Windows devices. The RAT then searched for specific information types which it returned to its C&C server.
These included credentials pulled from browsers, lists of drives, directories and processes on the infected machine, details of running antivirus software, even screenshots. Targets include defence, embassies, and other government parastatals.
The RAT usually pretends to be a legitimate Windows related application, for example, in a campaign the actor used a Microsoft Windows icon. In some other campaigns, the actor signed its RAT with fake Microsoft certificates.
Malwarebytes warns “Profiting from global health concerns, natural disasters, and other extreme weather events is nothing new for Cybercriminals,” And now with reports that China and now Pakistan have already been caught exploiting COVID-19, a pandemic that is yet to be contained, all governments should be on alert for malicious attacks masquerading as health-related advisories.