Skip to main content
close search
site logo
Dive Brief

Some hackers are getting lazy

Published April 14, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Getty Images

Dive Brief:

  • While coronavirus-related phishing campaigns are spiking, some attackers are getting lazy, according to analysis of ransomware sent to various global government agencies and medical organizations from Palo Alto Networks' Unit 42. The group observed ransomware variant EDA2, which is associated with HiddenTear. 
  • The malicious file was outdated, meaning it did not correspond with the date it references. Malware authors also neglected to "make their lures appear legitimate in any way," according to the report. None of the campaigns observed in this research were successful.
  • After the remote command and control gains the target's username and hostname details, encryption begins using a "fairly simple" algorithm. Additionally, the ransomware has "a particularly substantial limitation," as it can only encrypt files on the victim's desktop.

Dive Insight:

Phishing attacks spiked 667% from February to March as bad actors took advantage of the healthcare and economic crisis. But not all cybercriminals are putting as much care into their malware campaigns. 

"This campaign was not sophisticated by any means," Adrian McCabe, senior threat researcher for Unit 42, told CIO Dive in an email. The attacker attempted to "take advantage of people's curiosity toward any particular topic that is popular at a given time," as cybercriminals typically do. 

Unit 42 observed another campaign, AgentTesla, sent to healthcare, pharmaceutical and government industries. AgentTesla is sold across forums for cybercriminals and is known for stealing information so its popularity swelled.​

The campaign uses legitimate business domains as the email sender. The business domains belong to companies in electronic skateboard sales and garment textiles and were likely compromised by the attacker. 

While the disguised email sender used realistic emails, their recipients were likely the wrong audience. Other cybercriminals pay more attention to detail. IBM X-Force found Emotet trojans distributed in Japan attached to the coronavirus outbreak. Senders disguised themselves as a disability welfare service provider. 

Unit 42 couldn't attribute the campaigns for anyone in particular because EDA2 is open sourced, according to McCabe. EDA2's limitations —​ hardcoded to only encrypt a victim's device — is "either short-sighted, dumb or lazy. Exactly which one is anybody's guess." 

As more spoofed email addresses will fill targets' inboxes, McCabe recommends using an enterprise email filtering capability "to its fullest potential." 

McCabe wants companies to ask, "Would an email with 'COVID-19' in the subject and an executable as an attachment ever be something that could occur organically as part of your firm's legitimate business activities?"

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell