SBN

COVID-19 Phishing Update: Email Posing as Scam Guidance Delivers Malware Instead

The novel coronavirus is giving opportunistic threat actors new means of deploying malicious lures on unsuspecting targets. Today’s example shows the attacker leveraging the pandemic by offering guidance on how to avoid coronavirus scams. Unfortunately, it’s also a scam.

We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic. 

 

ursnif scam blacked out contact

 

This lure is targeting a large global financial institution.

Sender address: [email protected]

 

INC1719700_Ursnif

Clicking on the link redirects you to affmote[dot]com/WLGf4L49kgtfESv4u.php where the target is prompted to provide extra verification in order to access the document. This extra step serves a dual purpose for the attacker by keeping security researchers or bots from finding the malware rather than the intended victim.  

 

ursnif scam 2

 

Enabling the malicious Word document results in the download of Ursnif malware, a highly active and stealthy banking trojan. 

 

Screenshot from 2020-03-30 19-46-46 ursnif

 

The information that this particular lure promises is not unique in nature. Phishing attacks exploiting coronavirus information from health and government officials are spanning a variety of channels nowadays, and tips on how to avoid being a victim are everywhere. Attackers interested in capitalizing on the public’s need for COVID-19 updates need only to similarly look to authority figures on the subject, and mirror their messaging. 

For more intelligence on COVID-19 threats, see our ongoing coverage.


*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Jessica Ellis. Read the original post at: https://info.phishlabs.com/blog/covid-19-phishing-update-email-posing-as-scam-guidance-delivers-malware-instead