Threat actors pose as Indian govt. to spread malware laced COVID email attachments

The email orders organizations to review the attachment and submit their plan of action to combat Coronavirus, much similar to APT36's pattern of attack.
Updated on
April 19, 2023
Published on
April 29, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
In a recent attempt to spread malware, threat actors, posing as Indian government departments, are sending malicious emails to organizations. The email claims to be a follow up to a previous correspondence, and orders organizations to review the attachment and submit their plan of action to combat Coronavirus. The seemingly official language of the email content, makes it seem like a directive from the Home Ministry of India. This tactic coerces victims into opening the malware laced attachments immediately. phishing email Although a fake email address, [email protected] gives victims the impression of a legitimate mail address. However, the actual email address of the Ministry of Home Affairs ends in [email protected]. The email attachment titled Coronavirus_action_plan.docx, as reported by Subex, is found to drop malware into the victim’s system, once opened. 

Similar phishing lure by APT36

A similar incident was reported by Malwarebytes on 16 March, this year, when the alleged Pakistani state-sponsored threat actor group, APT36, posed as the Government of India to send Coronavirus health advisory emails with malicious attachments. Notably, this group is known for targeting the Indian government, its embassies and the defense system. The email attachment contained two malicious macros that dropped the CrimsonRAT payload, to steal credentials from browsers, capture screenshots, list running processes, directories, and drives, and more. 

COVIDlure

 

Indicators of Compromise

 
Decoy URLs
email.gov.in.maildrive[.]email/?att=1579160420
email.gov.in.maildrive[.]email/?att=1581914657
Decoy documents
876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef165620da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a
CrimsonRAT
0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010
b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748
C2s
107.175.64[.]209
64.188.25[.]205
  This lure bears a stark similarity with the emergency response plan phishing email, in that:
  • Both the emails are traced back to addresses that impersonate the Indian government, 
  • They have attachments that call for immediate attention and action, and 
  • These emails were sent to victims under the cover of Coronavirus.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations