global covid 19-related phishing campaign by …...jun 18, 2020 · india 21 june 2020 individuals...

1 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE

CYFIRMA Holdings Pte Ltd. 150 Beach Road

Level 35, The Gateway West Singapore 189720

GLOBAL COVID 19-RELATED PHISHING CAMPAIGN BY NORTH

KOREAN OPERATIVES LAZARUS GROUP EXPOSED BY CYFIRMA

RESEARCHERS

Reporting Date: 18 June 2020

Assessment Period: 1 to 16 June 2020

Subject: Hacker groups are planning a large-scale phishing campaign targeted at more

than 5M individuals and businesses (small, medium, and large enterprises) across six countries

and multiple continents

Motivation: Financial Gains

Method: The hacking campaign involved using phishing emails under the guise of local

authorities in charge of dispensing government-funded Covid-19 support initiatives. These

phishing emails are designed to drive recipients to fake websites where they will be deceived

into divulging personal and financial information.

Executive Summary:

CYFIRMA Researchers have been tracking the Lazarus Group, a known hacker group

sponsored by North Korea, for many years. Investigations into the Group’s activities have

revealed detailed plans indicating an upcoming global phishing campaign.

There is a common thread across six targeted nations in multiple continents – the

governments of these countries have announced significant fiscal support to individuals and

businesses in their effort to stabilize their pandemic-ravaged economies. The following are

some of the government-funded programs:

• Singapore, a small nation-state in Southeast Asia, has announced almost SGD 100B

financial aid in various forms to stem unemployment and keep businesses afloat;

• Japan has announced stimulus funds of about 234 trillion yen;

• S. Korea government has allocated a total of US$200B of emergency relief funds for

industries including carmakers, telecoms, airlines, shipbuilders, and small merchants.

The relief funds include cash handouts to families with certain provinces extending

the support to tax-paying foreigners;

• Indian government has announced Rs 20 lakh crore (US$307B) of credit, finance and

collateral-free loans to micro, small and medium enterprises, as well as welfare

packages for citizens;

• N. America has set aside trillions of dollars to design Economic Impact Payment or

Stimulus Payments as well as Paycheck Protection Program to prop up its economy;

and

• As part of the UK government COVID-19 recovery strategy, a number of support

programs have been made available, such as Coronavirus Job Retention Scheme,

and Self-Employment Income Support Scheme. The Government’s package has also

been complemented by further contributions from the Bank of England.

The Lazarus Group’s upcoming phishing campaign is designed to impersonate government

agencies, departments, and trade associations who are tasked to oversee the disbursement

of the fiscal aid.




The hackers plan to capitalize on these announcements to lure vulnerable individuals and

companies into falling for the phishing attacks.

Given the potential victims are likely to be in need of financial assistance, this campaign

carries a significant impact on political and social stability.

CYFIRMA Researchers first picked up the lead on June 1, 2020, and have been analyzing the

planned campaign, decoding the threats, and gathering evidence. Evidence points to

hackers planning to launch attacks in six countries across multiple continents over a two-day

period. Further research uncovered seven different email templates impersonating

government departments and business associations.

As of time of reporting (18 Jun), we have not seen the phishing or impersonated sites defined

in the email templates. But our research shows the hackers were planning to set that up in

the next 24 hours.

We also observed that hackers are planning to spoof or create fake email IDs impersonating

various authorities. These are some of the emails discussed in their phishing campaign plan:

• [email protected]






Campaign Launch Dates:

According to the hackers plans as observed by CYFIRMA Research, the phishing campaigns

are scheduled to launch in the following countries across multiple continents on the stated

dates.

Country Name Campaign Launch Date Target

USA 20 June 2020 Individuals

UK 20 June 2020 Businesses

Japan 20 June 2020 Individuals

India 21 June 2020 Individuals

Singapore 21 June 2020 Businesses

South Korea 21 June 2020 Individuals

Phishing Theme:

USA: Hackers claimed to have 1.4M curated email IDs. The Plan is to send the email below

via a spoofed USDA email account luring them with fake Direct Payment of USD 1000 and

inciting them to provide personal detail. Pls see email evidence below.




UK: Hackers claimed to have 180,000 business contacts. The plan is to send email below via a

spoofed Bank of England email account and luring them to provide business details, pressing

them to provide before 26 June 2020. Pls see email evidence below.

Japan: Hackers claimed to have 1.1M individual email IDs and planning to send phishing

email from a spoofed Ministry of Finance, Japan email account offering additional payment

of JPY 80,000 for all citizens and residents of Japan. Pls see email evidence below.




India: Hackers claimed to have 2M individual email IDs. The plan is to send emails free

COVID-19 testing for all residence of Delhi, Mumbai, Hyderabad, Chennai and Ahmedabad

inciting them to provide personal information. Pls see email evidence below.

Singapore: Hackers claimed to have 8,000 business contact details and planning to send

phishing email from a spoofed Ministry of Manpower email account offering additional

payment of SGD 750 for all employees these companies have employed. Pls see email

evidences below.




South Korea: Hackers claimed they have 700,000 individual email IDs and will send phishing

email to all citizens announcing an additional 1M Won payment in cash and shopping

vouchers. The fake email will be spoofed to impersonate the South Korean Government. Pls

see email evidence below.

Technical Discovery:

On 1 June 2020, DeCYFIR, our proprietary cloud-based cyber threat discovery and cyber

intelligence platform detected a suspicious folder name hosted on Nine IP addresses namely

“건강 문제 -2020”, which loosely translates to “Health-Problem-2020”.

IP

Address

First

Seen

Last

Seen

Purpose

(Malware/Tr

ojan/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public

reference

Mexico

177.205.

181.88

Reg

Date:

2002-07-

26

2020-05-

26

Unknown Unknown Undetected, can

be used for

malicious activity.

Correlation:

1 undetected hash

(myfile.exe)

00c1a347741607953

534290a82b303da775df2d7ef777b9fdfd

a8f54b46b6807)

https://ww

w.virustotal.

com/gui/ip-

address/177

.205.181.88/

detection

177.205.

183.153

2020-02-

29

2020-05-

26


be used for malicious activity.

https://ww

w.virustotal.com/gui/ip-

address/177

.205.183.153

/detection

Ukraine

91.222.2

47.27

2020-01-

05

2020-06-

16

Unknown:

TOR Node, VPN

Unknown Undetected, can

be used for malicious activity.

https://ww

w.virustotal.com/gui/ip-




IP

Address

First

Seen

Last

Seen

Purpose

(Malware/Tr

ojan/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public

reference

Correlation:

4 undetected

hashes in VT

(myfile.exe)

6134ec59c7ade889

96bc373a755388641

92aff4b73380af937f

ebc1976e033e8,

540e082fa61625561

d473b33719539c980

1367f39d3c1a35115

1100fb2dc4240,

98340bb66a293fdde

011d75fe10ca9eaf0

e73c6c75cf8645d1f

d3314a4fe0309,

1232e05d42b5c2914

916fd1e8e70ef3b42

cfa6d8866336943f46

745ee1e17e0c

address/91.

222.247.27/

detection

91.228.5

3.86

2020-01-

05

2020-06-

17

C&C,

Ransomwar

e

Lazarus

Group

(Confidence:

Medium),

Zombie

Spider

(Confidence:

Medium)

Undetected, can

be used for

malicious activity.

Correlation:

Multiple hashes

detected, utilized

for Tofsee malware

(TA), shade

ransomware (TA)

https://ww

w.virustotal.

com/gui/ip-

address/91.

228.53.86/d

etection

Switzerland

77.109.1

91.140

2019-12-

21

2020-06-

17

C&C,

Trojan,

Ransomwar

e

TA-505

(Confidence:

Medium)

Undetected, can

be used for

malicious activity.

Correlation:

Multiple hashes

detected, utilized

for Locky malware

(TA), MaktubLocker

ransomware

https://ww

w.virustotal.

com/gui/ip-

address/77.

109.191.140

/detection

France

37.187.1

07.91

2019-12-

20

2020-06-

17

C&C,

Trojan,

Ransomwar

e

Lazarus

Group

(Confidence:

Medium),

Zombie

Spider

(Confidence:

Medium)

Suspected to be

used for distributing

spam.

Correlation:

Multiple hashes

detected, utilized

for Emotet banking

trojan (TA), Shade

ransomware (TA)

https://ww

w.virustotal.

com/gui/ip-

address/37.

187.107.91/

detection

104.244.

73.193

2020-04-

07

2020-06-

17

Malware

Hosting

No direct

association

Suspected to be


spam.

Correlation:

Multiple hashes

detected; I Spam

https://ww

w.virustotal.

com/gui/ip-

address/104

.244.73.193/

detection




IP

Address

First

Seen

Last

Seen

Purpose

(Malware/Tr

ojan/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public

reference

(http://104.244.73.1

93/)

United States

45.33.47.

218

2020-01-

05

2020-06-

17

C&C,

Ransomwar

e

Lazarus

Group

(Confidence:

Medium)

Suspected to be


spam.

Correlation:

Locky (TA), Tofsee

(TA), Maktublocker

https://ww

w.virustotal.

com/gui/ip-

address/45.

33.47.218/re

lations

45.56.90.

176

2020-01-

05

2020-06-

17

C&C,

Ransomwar

e

APT-

33/Charming

Kitten

(Confidence:

Medium)

Suspected to be


spam.

Correlation:

Remcos RAT (TA)

https://ww

w.virustotal.

com/gui/ip-

address/45.

56.90.176/re

lations

The folder name “건강 문제 -2020” aka “Health-Problem-2020”, attracted our researchers’

attention as recent months have seen an increased in pandemic-themed malware and

campaigns. Our researcher found a folder called “꾸러미” and under which they noticed a

file “스크립트 20.txt” which translates to ‘script20.txt’ written in Korean.

스크립트 20.txt screenshot:




After running this file through a translation tool, we noticed there is a well-thought detailed

plan to launch a phishing campaign against six nations across multiple continents. The plan

includes dates, personalized email templates, and Command and Control center details.

[건강 문제 -2020 Screenshot]

Folder names and their associated English names:

미국 -USA

영국 – UK

일본 – Japan

인도 – India

싱가포르 – Singapore

대한민국 – South Korea

The well-thought out sophisticated plan includes personalized email templates designed for

each country. The cybercriminals seem to have invested significant effort to ensure each of

these emails are relevant to the country’s context. This way they can increase their phishing

campaign’s success rate.

From “스크립트 20.txt” aka ‘script20.txt’ we picked up the following hacked email servers

which will be potentially used to send out the phishing emails. Although we cannot confirm if

these mail servers were hacked, CYFIRMA’s DeCYFIR platform detected and flagged these

as malicious. The assessment is also corroborated by public tools like VirusTotal and AlienVault

OTX.




IP

Address

First

Seen

Last

Seen

Purpose

(Malware/Troj

an/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public

reference

112.85.4

2.194

2014- 11-

12

2020-03-

14

Malicious Unknown Suspected to be


spam.

Correlation:

1 Hash detected

(d51bd6ac8f03895a

f1cd5eff41af0a03f1

99e84f98d13f401ee

9d7c63ba2fc15), 1

Spam

(http://112.85.42.19

4/)

https://ww

w.virustotal.

com/gui/ip-

address/112

.85.42.194/d

etection

108.58.4

1.139

2020-01-

8

2020-06-

17



spam.

Correlation:

1 Domain detected

(ool-

6c3a298b.static.opt

online.net), 1 Spam

(http://108.58.41.13

9/)

https://ww

w.virustotal.

com/gui/ip-

address/108

.58.41.139/d

etection

41.230.1

7.249

2020-01-

05

2020-06-

16



spam.

Correlation:

I spam detected

(http://41.230.17.24

9/)

https://ww

w.virustotal.

com/gui/ip-

address/41.

230.17.249/

detection

119.10.1

77.94

2020-01-

19

2020-05-

19



spam.

Correlation:

1 Hash detected

(83ce2e12c6de29fe

6155be554f8ea011d

47c21af92b7ebb8e

b58e288b3a38d46),

1 Spam

(https://119.10.177.9

4:4145)

https://ww

w.virustotal.

com/gui/ip-

address/119

.10.177.94/d

etection

45.190.2

20.241

2020-02-

12

2020-06-

16

Malware

Hosting

No direct

association

Found to be

Malicious,

suspected to be


spam

https://ww

w.virustotal.

com/gui/ip-

address/45.

190.220.241

/detection

89.203.1

42.18

2020-01-

5

2020-06-

16



spam.

Correlation:

1 HTML detected

(nocookies.html,

1444dd391144e74e

2f67baba0cdee7bbfc2f693d1c4128d8d

https://ww

w.virustotal.

com/gui/ip-

address/89.

203.142.18/

detection




IP

Address

First

Seen

Last

Seen

Purpose

(Malware/Troj

an/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public

reference

a55d77dc20860bc),

1 Spam

(http://89.203.142.1

8/)

104.181.

50.170

2020-01-

18

2020-05-

10

Unknown Unknown Suspected

malicious signature.

Correlation:

1 undetected hash

6492e4dc103780ee

cbdcc4e3fcf9f9d79

1fcbfc1cafd6b54d3

0e4f66bf487938

https://ww

w.virustotal.

com/gui/ip-

address/104

.181.50.170/

detection

104.192.

200.144

2019-12-

13

2020-05-

06



https://ww

w.virustotal.

com/gui/ip-

address/104

.192.200.144

/detection

41.190.2

32.130

2019-12-

13

2020-05-

04



https://ww

w.virustotal.

com/gui/ip-

address/41.

190.232.130

/detection

43.250.1

27.98

2019-12-

13

2020-06-

16



trojan.

Correlation:

1 Hash detected

(6a6b8cc2e2f44c67

dfea05593d08c3362

2058ba4e6f09333b9

3ddb6c9f65664c), 1

spam url

(http://43.250.127.9

8/)

https://ww

w.virustotal.

com/gui/ip-

address/43.

250.127.98/

detection

94.176.1

89.140

2019-12-

20

2020-06-

17



spam.

Correlation:

Multiple spams, XML

excel sheets and

domains detected

https://ww

w.virustotal.

com/gui/ip-

address/94.

176.189.140

/detection

79.124.6

1.139

2020-05-

17

2020-06-

16


be used for

malicious activity.

Correlation:

2 domains

detected

(ns2.avcilararcelikse

rvisi.com,

ns1.avcilararcelikser

visi.com)

https://ww

w.virustotal.

com/gui/ip-

address/79.

124.61.139/

detection

14.248.1

36.215

2020-06-

15

2020-06-

16

Unknown Unknown Suspected to be


spam.

Public tool

assessment:

https://ww




IP

Address

First

Seen

Last

Seen

Purpose

(Malware/Troj

an/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public

reference

w.virustotal.

com/gui/ip-

address/14.

248.136.215

/detection

95.30.21

8.148

2020-01-

17

2020-01-

17


be used for

malicious activity.

https://ww

w.virustotal.

com/gui/ip-

address/95.

30.218.148/

detection

58.22.21

7.122

RegDat

e: 2004-

05-03

Update

d: 2010-

07-30


be used for

malicious activity.

Public tool

assessment:

https://ww

w.virustotal.

com/gui/ip-

address/58.

22.217.122/

detection

Following are the observed Command and Control center or data collection servers as per

hacker’s plan. Fake or impersonated URLs will be hosted on these servers.

Attributed to Lazarus Group using CYFIRMA’s DeCYFIR platform. The assessment is also

corroborated by public tools like VirusTotal and AlienVault OTX.

IP Address First

Seen

Last

Seen

Purpose

(Malware/Troj

an/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public

reference

218.255.24

.226

2020-01-

05

2020-06-

17

C&C,

Commodity

Malware

Lazarus

Group

(Confidence:

Medium)

Multiple

associations,

Using Nukesped

RAT (TA)

https://www.

virustotal.co

m/gui/ip-

address/218.

255.24.226/d

etection

195.158.23

4.60

2019-12-

27

2020-06-

16

C&C,

Commodity

Malware

Lazarus

Group

(Confidence:

Medium)

Multiple

associations,

Using Nukesped

RAT (TA)

https://www.

virustotal.co

m/gui/ip-

address/195.

158.234.60/d

etection

111.68.7.7

4

2020-01-

13

2020-06-

16

C&C,

Commodity

Malware

Lazarus

Group

(Confidence:

Low)

Multiple

associations,

Using Razy trojan

(commodity

malware) (TA)

https://www.

virustotal.co

m/gui/ip-

address/111.

68.7.74/dete

ction

172.217.17

.110

2020-01-

05

2020-06-

17

C&C,

Commodity

Malware

Lazarus

Group

(Confidence:

Medium),

Multiple

associations,

using

Polyransom

malware (TA)

https://www.

virustotal.co

m/gui/ip-

address/172.

217.17.110/d

etection




IP Address First

Seen

Last

Seen

Purpose

(Malware/Troj

an/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public

reference

69.172.201

.153

2020-01-

05

2020-06-

16

C&C,

Commodity

Malware

Lazarus

Group

(Confidence:

High)

Multiple

associations,

Using Coinminer,

Emotet,

Mydoom

(Operation

Blockbuster)

https://www.

virustotal.co

m/gui/ip-

address/69.1

72.201.153/d

etection

31.170.163

.101

2019-12-

11

2020-06-

17

C&C,

Commodity

Malware

Lazarus

Group

(Confidence:

Medium)

Multiple

associations,

Using Strictor,

Razy (TA)

https://www.

virustotal.co

m/gui/ip-

address/31.1

70.163.101/d

etection

180.120.38

.159

RegDat

e: 2009-

04-29

Update

d: 2010-

07-30

Commodity

Malware

Lazarus

Group

(Confidence:

Medium),

Suspected to be

used for

distributing spam

and malware.

Correlation:

2 URLs (Seems

used for

malware

hosting), 1 hash

e15e93db3ce3a

8a22adb4b18e0

e37b93f39c495e

4a97008f9b1a9a

42e1fac2b0

(Mirai)(TA)

https://www.

virustotal.co

m/gui/ip-

address/180.

120.38.159/d

etection

80.78.250.

92

2019-12-

11

2020-06-

17

C&C Gothic

Panda

(Confidence:

Medium),

Multiple

associations,

Using Sality,

Bayrob (TA)

https://www.

virustotal.co

m/gui/ip-

address/80.7

8.250.92/dete

ction

84.22.138.

150

2019-12-

13

2020-05-

29

Malicious Unknown Multiple

associations

suspected to be

used for

distributing spam

and malware.

Correlation:

2 URLs (seem to

be used for

spam)

https://84.22.138.

150/,

http://84.22.138.

150/

https://www.

virustotal.co

m/gui/ip-

address/84.2

2.138.150/det

ection

182.254.13

7.202

2020-01-

01

2020-06-

16

Malicious Gothic

Panda

(Confidence:

Medium)

Correlation:

1 url

http://182.254.13

7.202/

(Malicious), 1

domain

(opteeq.com, seems to be

https://www.

virustotal.co

m/gui/ip-

address/182.

254.137.202/d

etection




IP Address First

Seen

Last

Seen

Purpose

(Malware/Troj

an/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public

reference

semiconductor

and

manufacturing

site operating

from

Guangdong)

45.147.200

.145

2020-01-

27

2020-02-

24


associations

(looks to be

used for

phishing)

https://www.

virustotal.co

m/gui/ip-

address/45.1

47.200.145/d

etection

201.163.36

.134

RegDat

e: 2003-

04-03

Update

d: 2010-

07-21

Unknown Unknown Undetected,

can be used for

malicious

activity.

Correlation:

1 Email file

detected in

(722ce7b47a390

5248158ff0a2f4a

af8583a759d59e

2c8d4aee9a0fd

d567ac4fd)

https://www.

virustotal.co

m/gui/ip-

address/201.

163.36.134/d

etection

42.231.162

.212

2020-01-

25

2020-02-

24


associations

suspected to be

used for

distributing

spam.

Correlation:

Referring to 7

email files (1 has

trojan detected)

and 1 URL

(spam)

https://www.

virustotal.co

m/gui/ip-

address/42.2

31.162.212/d

etection

187.150.36

.168

2020-02-

06

2020-05-

31


can be used for

malicious

activity.

https://www.

virustotal.co

m/gui/ip-

address/187.

150.36.168/d

etection

120.194.77

.41

2020-03-

31

2020-04-

04


can be used for

malicious

activity.

https://www.

virustotal.co

m/gui/ip-

address/120.

194.77.41/det

ection

Further analysis of script20.txt file revealed the following additional hashes which shows a trail

linking to Lazarus Group.




IP Address First

Seen

Last

Seen

Purpose

(Malware/Tr

ojan/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public reference

149a6964

72d4a189f

5896336a

b16cc34

First

Submissi

on

2020-06-

01

Last

Analysis

2020-06-

11

Malicious Lazarus

Group

(Confidence:

High)

Using

NukeSped

RAT (TA),

Used in

campaign

leverages

fake

cryptocurren

cy

exchanges

(TA)

https://www.viru

stotal.com/gui/fil

e/572a124f5665

be68eaa472590f

3ba75bf34b0ea

2942b5fcbfd3e7

4654202dd09/de

tection,

https://otx.alienv

ault.com/indicat

or/file/149a6964

72d4a189f58963

36ab16cc34

98c1ecc4

aed0099f

b8c797b1

ce72f3c0

First

Submissi

on

2020-05-

19

Last

Analysis

2020-06-

05

Malicious Lazarus

Group

(Confidence:

High)

Using

OpenCarrot

Malware (TA)

https://www.viru

stotal.com/gui/fil

e/333b4da63627

1f57c2f16acba9

adc389c66fc4d7

e215050f0e4f502

18b52c979/dete

ction

c59d5018

9a12e0b0

c3982358f

084d1db

First

Submissi

on

2019-07-

27

Last

Submissi

on

2019-11-

02

Malicious Lazarus

Group

(Confidence:

High)

Using Shaitan

Malware (TA)

https://www.viru

stotal.com/gui/fil

e/dd1232df0703

e028418f59026f7

eb3f68cdb7eb1

5352229dc2db04

e3ee5e90da/de

tection

88de31ad

947927004

ab56ab1e

855fd64

First

Submissi

on

2020-06-

01

Last

Analysis

2020-06-

15

Malicious Lazarus

Group

(Confidence:

High)

Using

NukeSped

RAT (TA),

FakeCoinTra

der

https://www.viru

stotal.com/gui/fil

e/3e5442440aea

07229a1bf6ca2f

df78c5e2e5eaa

c312a325ccb49

d45da14f97f4/d

etection

211.192.23

9.232

RegDat

e: 1996-

06-30

Update

d: 2010-

08-02

C&C,

Malicious

Lazarus

Group

(Confidence:

High)

Using

TAINTEDSCRIB

E malware

(TA),

NukeSped

RAT (TA)

https://www.viru

stotal.com/gui/i

p-

address/211.192.

239.232/detectio

n

67.43.239.

146

2019-12-

12

2020-04-

29

C&C,

Malicious

Lazarus

Group

(Confidence:

High)

Using New

MacOS Dacls

RAT (TA)

https://www.viru

stotal.com/gui/i

p-

address/67.43.23

9.146/detection

184.168.22

1.48

RegDat

e: 2010-

09-21

Update

d: 2014-

02-25

C&C,

Malicious

Lazarus

Group

(Confidence:

High)

Using Bayrob

(TA), Zusy,

Occamy

https://www.viru

stotal.com/gui/i

p-

address/184.168.

221.48/detectio

n

166.62.112

.193

2020-01-

05

2020-06-

17

C&C,

Malicious

Lazarus

Group

Using

Sodinokibi

https://www.viru

stotal.com/gui/i




IP Address First

Seen

Last

Seen

Purpose

(Malware/Tr

ojan/C&C)

Association

with Threat

Actor

CYFIRMA’s

Assessment

Public reference

(Confidence:

High)

ransomware

(TA)

p-

address/166.62.1

12.193/detectio

n

154.73.92.

52

2019-12-

11

2020-06-

17

C&C Lazarus

Group

(Confidence:

Medium),

Using

AgentTesla

malware (TA)

https://www.viru

stotal.com/gui/i

p-

address/154.73.9

2.52/detection

175.41.26.

134

2020-01-

05

2020-06-

16

Unknown Unknown Multiple

associations

suspected to

be used for

distributing

spam.

Correlation:

Multiple

hashes

(phishing)

https://www.viru

stotal.com/gui/i

p-

address/175.41.2

6.134/detection

104.27.129

.157

2019-12-

12

2020-06-

17

C&C Unknown Can be used

for malicious

activity.

Correlation:

Guildma

Banking

Trojan, Ulise

https://www.viru

stotal.com/gui/i

p-

address/104.27.1

29.157/detectio

n

103.8.196.

98

2019-12-

11

2020-05-

24

Unknown Unknown Suspected to

be used for

distributing

spam.

https://www.viru

stotal.com/gui/i

p-

address/103.8.19

6.98/detection

English translated email templates using public translation tools per country:

Translation could be weak.

USA: [email template was in English, emm.rtf file screenshot] Hackers claimed to have 1.4M

curated email IDs. The Plan is to send the email below via a spoofed USDA email account

luring them with fake Direct Payment of USD 1000 and inciting them to provide personal

detail. Pls see email evidence below.




UK: [email template was in English, emm.rtf file screenshot] Hackers claimed to have 180,000

business contacts. The plan is to send email below via a spoofed Bank of England email

account and luring them to provide business details, pressing them to provide before 26 June

2020. Pls see email evidence below.

Japan: [English translation from emm.rtf file] Hackers claimed to have 1.1M individual email

IDs and planning to send phishing email from a spoofed Ministry of Finance, Japan email

account offering additional payment of JPY 80,000 for all citizens and residents of Japan. Pls

see email evidence below.




Residents

The Japanese Ministry of Finance today announced an additional support fund of JPY 80,000

for all residents of Japan.

To ease the process from the previous time, you can apply online this time using the link [].

Apply today

By July 15, 2020, you will receive payment directly into your bank account or a check will be

sent to the communication address provided by you.

Government of Japan is committed to well-being of all citizens and residents.

Thank You,

The Ministry of Finance, Japan

100100-8940 3-1-1 Kasumigaseki, Chiyoda-ku, Tokyo Tel: 03-3581-4111

India: [email template was in English, emm.rtf file screenshot] Hackers claimed to have 2M

individual email IDs. The plan is to send emails free COVID-19 testing for all residence of Delhi,

Mumbai, Hyderabad, Chennai and Ahmedabad inciting them to provide personal

information. Pls see email evidence below.

Singapore: [English translation from emm.rtf file] Hackers claimed to have 8,000 business

contact details and planning to send phishing email from a spoofed Ministry of Manpower

email account offering additional payment of SGD 750 for all employees these companies

have employed. Pls see email evidence below.

Member of Singapore Business Federation,

Thank you for your long-term support during the COVID19 circuit breaker. We understand the

pain and torture you have suffered in the past two months, which has prevented you from

conducting business.

In the past few months, we have announced many business friendly programs supported by

the Singapore government. In addition, the Ministry of Manpower (MOM) of Singapore today

announced a new financial plan that provides a one-time subsidy of S$750 per employee

under the Work Support Plan (JSS).




Please register your company and don't forget to provide your company bank information so

that we can transfer funds automatically.

Claim your financial support immediately: []

Thank you,

Ministry of Manpower [MOM] Singapore

MOM Service Center

1500 Bendemeer Road, Singapore 339946

Employment Pass Service Center

Binhe Road, 20 Upper Ring Road, #04-01/02, Singapore 058416

South Korea: [English translation from emm.rtf file] Hackers claimed they have 700,000

individual email IDs and will send phishing email to all citizens announcing an additional 1M

Won payment in cash and shopping vouchers. The fake email will be spoofed to

impersonate the South Korean Government. Pls see email evidence below.

Residents

In addition to ministry of economic and finance announcement in March 2020.

Today Ministry of health and welfare (MOHW) is announcing 2nd relief fund for citizens and

residents.

Under this relief fund all citizens and residents will be eligible to receive up to 1 million won in

cash and shopping vouchers.

In order to receive the cash payout, all citizens must register today.

You can apply here ()

Thank You,

Ministry of Health and Welfare

13, Doum 4-ro, Sejong, (30113) Korea

HELP CENTER 82-129




ABOUT CYFIRMA

Headquartered in Singapore and Tokyo, CYFIRMA is a leading threat discovery and

cybersecurity platform company. Its cloud-based AI and ML-powered cyber intelligence

analytics platform helps organizations proactively identify potential threats at the planning

stage of cyberattacks, offers deep insights into their cyber landscape, and amplifies

preparedness by keeping the organization’s cybersecurity posture up-to-date, resilient, and

ready against upcoming attacks.

CYFIRMA works with many Fortune 500 companies. The company has offices and teams

located in Singapore, Japan and India.

Official websites:

www.cyfirma.com

www.cyfirma.jp

http://www.cyfirma.com/

http://www.cyfirma.jp/

global covid 19-related phishing campaign by …...jun 18, 2020 · india 21 june 2020 individuals...

Documents