Back in 2020, hackers attempted to capitalize on the Coronavirus (COVID-19) pandemic by using phishing campaigns. According to Juniper Networks’ Threat Labs researchers at the time, a COVID-19-related phishing campaign was found to be spreading the banking trojan IcedID.
IcedID is a banking trojan that executes man-in-the-browser attacks to steal banking information and monitor financial transactions. Hackers lure victims into opening a set of malicious files attached to emails that utilize keywords such as COVID-19 and FMLA or (Family and Medical Leave Act). The emails are designed to convince recipients that the documents are coming from the U.S. Department of Labor and contain legitimate information.
Although the earlier versions of IcedID injected itself into svchost.exe and downloaded encrypted modules, the most recent campaign modifies those tactics by inserting itself into the msiexec.exe process. The infection comes in three stages. It starts with a phishing email containing a malicious Microsoft Office attachment. When opened, the file launches a second loader whose purpose is to download yet another IcedID loader. Then, a loader downloads the actual IcedID main module.
As for the delivery email itself, it’s loaded with broken English and typographical and grammatical errors. Like other COVID-19 phishing attempts, it contains a persuasive call-to-action, with references to the Families First Coronavirus Response Act that provides paid sick leave and expanded family and medical leave related to the coronavirus.
The phishing email reads in part:
“Dear employees, The following notice is written to all suitable workers in order to notify of a number of changes that have been constructed in the current FMLA with regards to the latest Coronavirus Response Act. To ask for leave based on the Family and Medical leave of Act (sic), remember to analyze the files very carefully, get informed about the adjustments that have been created, fill out the requestform (sic) and send to Human Resources until may (sic) 31st, 2020.”
Organizations that have been targeted by IcedID include Amazon, American Express, AT&T, Bank of America, Charles Schwab, Chase, J.P. Morgan, Wells Fargo, and others.
Other hackers have used phishing to capitalize on the Coronavirus pandemic by using bogus Gmail accounts to fool businesses in key industries to hand over their Google credentials. According to Google security researchers, some attacks have ensnared individuals with email invitations to sign up for phony COVID-19 notifications from the World Health Organization. In late April of 2020, the FBI said that the number of online crimes reported to its Crime Complaint Center had quadrupled to upwards of 4,000 incidents a day since the Coronavirus pandemic began in the U.S.