An HHS.gov open redirect is currently being used by attackers to push malware payloads onto unsuspecting victims' systems with the help of coronavirus-themed phishing emails.
Open redirects are web addresses that automatically redirect users between a source website and a target site, and are regularly used by malicious actors to send their targets to phishing landing pages or to deliver malware payloads under the guise of legitimate services.
HHS.gov is the website of the U.S. Department of Health & Human Services which makes this specific open redirect the perfect tool to lure in potential victims.
The open redirect (https://dcis.hhs.gov/cas/login?service=MALICIOUSURL&gateway=true) is present on the subdomain of HHS's Departmental Contracts Information System, and it was discovered and shared on Twitter by infosec analyst @SecSome.
.png)
The attackers use it to link to a malicious attachment containing a coronavirus.doc.lnk file which will unpack an obfuscated VBS script that will download and execute a Raccoon information stealer malware payload from http://185.62.188[.]204/hunt/post/corona.exe (VirusTotal analysis) after saving it to %Temp%\HhKFW.exe.
Raccoon (aka Legion, Mohazo, and Racealer) is an information-stealing malware initially spotted almost a year ago on cybercriminal forums and capable of stealing data such as email credentials, credit card info, cryptocurrency wallets, browser data, and system information.
A report from CyberArk says that Raccoon is capable of digging its way into about 60 different applications, from browsers, cryptocurrency wallets, email and FTP clients to steal and deliver sensitive information to its operators.
After executing the infostealer, the script also makes use of a decoy that shows an error message to make the victim think there is something wrong with the malicious document.
The server used to previously deliver the malicious payload has since been taken down to probably be replaced with a new one very soon.
BleepingComputer has also been told that the U.S. Department of Health and Human Services (HHS) has been notified of the redirect and it will be hopefully taken offline soon.
While the current phishing campaign abusing HHS.gov open redirects only drops an infostealer as the final malware payload, it can be used to inflict much more damage if the threat actors ever decide to switch payloads.
As an extra tidbit of info, operators behind Netwalker Ransomware have used the same obfuscated VBS script template (in deobfuscated form here) to deliver their payloads in a campaign spotted by MalwareHunterTeam last week.
That series of attacks also used Coronavirus (COVID-19) phishing emails with attachments named 'CORONAVIRUS_COVID-19.vbs' containing an embedded Netwalker Ransomware executable as well as obfuscated code designed to extract and launch it on the compromised devices.
Coronavirus themed phishing and malware
To defend against similar attacks, you should always be suspicious of coronavirus related attachments, especially when received from unknown senders as there's currently a huge influx of malicious attacks using the current COVID-19 pandemic to steal personal information and deliver malware via phishing campaigns.
Additionally, always make sure that you have configured Windows Explorer to show file extensions for all file types as a lot of phishing attacks deliver malicious executables that pretend to be harmless docs. To do that uncheck the 'Hide extensions for known file types' in the File Explorer Options as shown in this tutorial.
Last month, the World Health Organization (WHO), the U.S. Federal Trade Commission (FTC), and the US Cybersecurity and Infrastructure Security Agency (CISA) have all warned about ongoing Coronavirus-themed phishing and cyberscams (1, 2, 3).
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now