Nigerian cybercriminals specialized in business email compromise (BEC) attacks were observed leveraging COVID-19 lures in recent attacks on healthcare and government organizations, Palo Alto Networks reveals.
Referred to as SilverTerrier and active since at least 2014, the group represents a collective of over 480 individual threat actors launching an average of 92,739 assaults per month in 2019, most of them targeting the high-tech industry.
Between January 30 and April 30, 2020, Palo Alto Networks observed three SilverTerrier groups launching ten COVID-19-themed malware campaigns that included over 170 phishing emails across the security company’s customer base.
The campaigns stand out because they also attempted to compromise organizations critical to COVID-19 response efforts, including “government healthcare agencies, local and regional governments, large universities with medical programs/centers, regional utilities, medical publishing firms, and insurance companies across the United States, Australia, Canada, Italy, and the United Kingdom.”
With many cybercriminals tailoring their attacks to take advantage of the current COVID-19 crisis, including nation-states, it’s no surprise that BEC scammers attempted to seize the opportunity as well.
However, Palo Alto Networks says that none of the observed SilverTerrier attacks taking advantage of the coronavirus crisis has been successful in compromising the intended target.
Starting January, one of the actors behind the recent campaigns was observed launching multiple attacks that attempted to exploit CVE 2017-11882, an Office vulnerability that Microsoft patched in 2017, to run an executable file.
The assaults targeted organizations in the United States (a major utility provider, a university, and a government agency), Australia (a health insurance provider and an energy company), Canada (health agency), and a European medical publishing company to deliver various malware families.
Two other campaigns targeted US organizations (government health agencies, universities with medical programs, state infrastructure, and a health insurance company), a Canadian health insurer, a university and regional government in Italy, and various government institutions in Australia.
In the second half of March, a second SilverTerrier actor sent phishing emails to several organizations, including a government health agency in the United States, attempting to deliver the Lokibot malware to the intended victims.
On March 23 and 24, a third actor (named Black Emeka) sent a series of emails disguised as COVID-19 information, leveraging PowerShell to download malicious executables onto the victims’ systems.
SilverTerrier threat actors are expected to continue to use COVID-19-themed emails in an attempt to infect their victims with commodity malware to help them achieve their objectives.
“In light of this trend, we encourage government agencies, healthcare and insurance organizations, public utilities, and universities with medical programs to apply extra scrutiny to COVID-19-related emails containing attachments,” Palo Alto Networks concludes.