Hackers are using malicious emails about the coronavirus to trick people with a malware called AZORult.
Cybercriminals have spent the last month using concerns about the spread of the coronavirus as cover for a variety of damaging attacks while the real-life death toll from the illness continues to rise.
Now criminals are using coronavirus-themed malware to target the global shipping community with malicious Microsoft Word documents.
Hackers used emails about ways to prevent coronavirus contraction in Japan as a way to spread Emotet malware to unsuspecting victims while others sent out fake emails from the World Health Organization or Centers for Disease Control and Prevention to trick people into giving away their email account passwords.
Sherrod DeGrippo, senior director threat research at Proofpoint, said researchers have now found emails using the topic of coronavirus to attack companies in the manufacturing, industrial, finance, and transportation industries.
The attacks involve emails sent to these companies with Microsoft Word documents attached that install an information-stealing malware called AZORult.
The industry has been particularly affected by global worry around coronavirus, with shipping rates cratering in recent weeks and global container shipping lines rerouting cargo and reducing calls to Chinese ports.
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic Premium)
According to Proofpoint researchers, the malicious emails are coming from groups in Russia or Eastern Europe and some include the subject line, “Coronavirus – Brief note for the shipping industry.”
“While they aren’t part of an APT group, they clearly understand the economic concerns surrounding the coronavirus. All emails with coronavirus-themes and attachments should be treated with caution, even if they don’t appear to be directly health related,” DeGrippo said in the blog post.
“A coronavirus-related shipping supply disruption would negatively impact each of the company types listed above and it’s clear these attackers are aware that a major event like coronavirus can have secondary impacts on industries. This awareness demonstrates not just technical sophistication, but economic sophistication as well. In addition to the health concerns around coronavirus, there are increased concerns globally about coronavirus’ potential economic and international supply chain impact.”
From the emails discovered, the campaign is attempting to exploit a more than two-year-old vulnerability with AZORult, which is installed when the malicious Microsoft Word documents are downloaded. AZORult is leveraging the widely used Equation Editor and Proofpoint researchers have found it in a variety of attacks over nearly three years.
According to DeGrippo, the cybercriminals behind the emails are hoping shipping industry companies have been slow to deploy patches for AZORult, a proven and effective mode of stealing information from enterprises.
AZORult was used to download ransomware programs, particularly for criminals engaging in sextortion scams as recently as 2018.
The blog post says every organization involved in the global shipping industry should be wary of coronavirus-related emails and every enterprise should proceed with caution when opening any email related to the illness.
“These latest attacks show that attackers aren’t just technically sophisticated: they also can be economically sophisticated. These attacks take coronavirus-themed attacks in a direction people might not expect away from health-related concerns and towards secondary, economic-related concerns, in this case the possible impact of coronavirus on global shipping,” DeGrippo added.
“This underscores that the threat potential around coronavirus remains broad and everyone should exercise extra caution when dealing with coronavirus-themed emails, links and attachments,” DeGrippo said.