As we predicted just a few days ago, malicious actors are now exploiting the media firestorm surrounding President Donald Trump's diagnosis late last week with COVID-19.
Yesterday customers using the Phish Alert Button (PAB) reported a phishing campaign attempting to capitalize on the news of Trump's health situation.
The email is matter-of-fact and to the point, sticking fairly close to themes already established in many mainstream news reports. No ridiculously hyperbolic claims here.
The email offers potential marks an embedded link pointing to a file on Google Docs and suggests that unwitting clickers will be provided a password-protected file of some sort. The file on Google Docs, however, merely provides a redirect to yet another file hosted on download2112.com, a domain created the very day we spotted this phishing campaign (10/6/2020).
Note: HybridAnalysis has a report on a domain (getfile24.com) that it appears to be related to download2112.com.
Curiously, that second file is currently redirecting to a Russian Bitcoin site:
Whether that is or was the intended destination from the get-go is not clear. Perhaps there was a password-protected file at some point that was subsequently taken down. Perhaps there wasn't.
Update (10/09/2020): As it turns out, security researchers were able to get to the bottom of this particular phish. The Google Docs landing page does (or did) indeed lead to the download of BazaLoader, a trojan downloader that pulls down additional malware and effectively establishes a backdoor on the infested machine. (We likely got shunted to that Russian Bitcoin site because the download2112.com site did not like something about the test platform we happened to be using.)
Whatever the case, Google has now started taking down some of the intermediate files hosted on Google Docs:
This malicious campaign uses a variety of very similar emails with a narrow range of closely-related Subject: lines, including:
- The things you don't know related to Trump's current health state
- Things you do not know pertaining to Trump's existing health status
- Most recent details pertaining to Trump's illness
- Latest details related to Trump's situation
- Something you don't know regarding Trump's present-day health condition
- Most up-to-date details related to Trump's situation
- Latest material about Trump's condition
- Most up-to-date info about Trump's illness
If you needed yet another reminder that the bad guys can be very aggressive in exploiting alarming headlines, this would be it. And we expect there will be plenty more where this one came from.
This phishing campaign should also serve as a reminder that your employees and users need to be stepped through New-school Security Awareness Training ASAP. They are, of course, the intended targets for this kind of maliciousness, and some of them could very well be just curious enough to click.
And don't be fooled: mere curiosity can indeed kill your organization.