Over the past several weeks, various threat actors have taken advantage of the global concern and interest in the recent coronavirus, known as 2019-nCoV, to launch new social engineering campaigns.
The NJ Cybersecurity & Communications Integration Cell (NJCCIC) previously reported on coronavirus-themed phishing emails attempting to deliver the Emotet trojan, and others have now surfaced. Proofpoint reported on a phishing campaign targeting industries that could be impacted by shipping disruptions as a result of the virus, including manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic companies. These emails attempt to convince the recipient to open a Word document attachment regarding the impacts on shipping. The threat actors attempt to exploit a nearly three-year old Microsoft Office vulnerability (CVE-2017-11882) and, once the attachment is opened and macros are enabled, the AZORult information-stealing trojan is installed. In addition, Sophos reported that the World Health Organization (WHO) is being impersonated to spread malware via a phishing campaign that includes the WHO logo and branding and provides the recipient with a link to safety measures regarding the spread of 2019-nCoV. The link leads to a compromised website that looks identical to the WHO homepage; however, a popup requests the visitor to verify their email and password. The URL for this site is not the legitimate WHO homepage and is a noticeable red flag.
The NJCCIC highly encourages users to remain vigilant and exercise extreme caution with emails that reference 2019-nCoV, refraining from clicking links or opening attachments. Phishing attempts can be reported to the NJCCIC via the Cyber Incident Form. The WHO and Centers for Disease Control and Prevention provide up-to-date information regarding the 2019-nCoV outbreak.