Managed Detection & Response Managed Malicious Email ......The malicious email titled ‘Maersk COVID -19 update’ that contained Microsoft Excel document attachment de- signed to

1

Malicious Email Activity Report TEC

HN

OLO

GY

SECURITY

COMPLIANCE

Managed Security Services

Managed Detection & Response

Email Protection Suite

Cloud Email & Collaboration

TEC

HN

OLO

GY

SECURITY

COMPLIANCE





TEC

HN

OLO

GY

SECURITY

COMPLIANCE





TEC

HN

OLO

GY

SECURITY

COMPLIANCE





TEC

HN

OLO

GY

SECURITY

COMPLIANCE





March 2020

IntroductionTargeted Attack Protection (TAP) is a product within SilverSky’s Email Protection Suite (EPS), which detects advanced

threats through static and dynamic analysis of attachments, websites, and downloads linked to inbound emails.

This report provides a summary of TAP email detections between March 1 – March 31, 2020, to help maintain an ongoing

understanding of malicious email activity trends. The information contained within this report is primarily derived from

daily detection data from the TAP production servers, samples submitted to the TAP team from customers as misses,

and internal research on new and known threats. The report includes a high-level view of detections from TAP in March, a

description of known threats TAP has detected and flagged over the past month, and an overview of some new phishing

campaigns used to test the detection capabilities of TAP against unknown threats.

Detected ThreatsDaily reporting data is analyzed by the SilverSky Threat Intelligence Team to identify detection trends and information that

could indicate specific attack methods or campaigns. This section provides information on detections of interest for the

month of March.

AZORuIt Malware Exploiting CVE-2017-11882

The AZORult malware was observed being delivered by phishing documents that used Covid19 as a lure in late March

2020. The malicious email titled ‘Maersk COVID -19 update’ that contained Microsoft Excel document attachment de-

signed to exploit CVE2017-11882 vulnerability. The Microsoft Word document that is attached in the email seeks to exploit

a two and-a-half year Microsoft Office vulnerability which leverages Equation Editor. Meanwhile, once the document is

opened it installs AZorult which is an information stealing malware which we have seen since at least 2016. In this latest

notable effort, the exploits are exclusively targeting manufacturing, industrial, finance, transportation, pharmaceutical, and

cosmetic industries. Below is an example of this targeted email campaign:

2

Figure 4: Sample CVE-2017-11882 exploitation email

These emails were detected by SilverSky as malicious using the Malicious Macro rule. A SilverSky customer with a policy

blocking TAP malicious emails would prevent these emails from reaching end users.

PDF Attachment Downloads Remcos RAT dropper

We also came across a phishing email with a PDF attachment offering safety measures against Coronavirus. Downloading

the PDF attachment concurrently executes Remcos RAT dropper that runs together with a VBS file executing the malware.

According to our research, recipients are instructed to download the document from the “censorship-free” file-sharing

service, which then installs two executable files in the “C:\Users\” system directory. A VBScript is seen as the launching

point to run the executables.

This email was detected by TAP as malicious using the Malicious File Type Attachment rule. A SilverSky customer with a

policy blocking TAP malicious emails would prevent these emails from reaching end users.

3

Agent Tesla with WHO “Method” for Covid19

We noticed and email phishing campaign sent by threat actors spoofing the real address of the head of the World Health

Organization (WHO), one of the premier scientific resources on Covid19, claims method/preventive measures against

Covid19 disease. The malicious email attachment named “Method_COVID2019_Safety.pdf.rar” contains Trojan agent com-

pressed in Archive RAR file format with .pdf extension to trick users. The email came to recipient’s inboxes allegedly from

the WHO, with a sender email address of World Health Organization <who[@]astaylojstlk.com>. Notice that the sender’s

email address domain is “astaylojstlk[.]com” when legitimate WHO email addresses instead end with “who.int”. Once the

recipient open and runs the attachment, GuLoader, used to load the real payload, installs Agent Tesla, trojan written in

Visual Basic that can steal usernames, passwords, and credit card information from the user’s system.

This email was detected by TAP as malicious using the Malicious Archive Attachment rule. A SilverSky customer with a

policy blocking TAP malicious emails would prevent these emails from reaching end users.

New ThreatsThe following outlines email threats that have been identified through open source research and analyzed to assess the

ability of TAP to detect and block these threats.

Government-Themed Covid19 Attacks

This medium-sized credential phishing campaign primarily

targeting the U.S. healthcare and higher education orga-

nizations with an email claiming that the Trump adminis-

tration is considering sending American adults a check of

$1,000 as a part of effort to stimulate the country’s econo-

my. The recipients are redirected to verify their information

for the “new payroll directory” by clicking on the malicious

link in the email. Once clicking, they are taken to the phish-

ing page which asks for their domain, username, email

address, and password.

The email notes that “the Trump administration is consid-

ering sending most American adults a check for $1,000

as part of the efforts to stimulate the economy and help

workers whose jobs have been disrupted by business

closures because of the pandemic.”

Analysis indicates that TAP would successfully detect this

attack through the Credential Phishing rule, protecting end

users and their organizations from this attack.

CoViper Malware, a New Variant of MBRLocker Ransomware with Coronavirus Theme

An installer with the name of “Coronavirus” being dis-

tributed as the COVID-19.exe file where the malware will

extract numerous files to a folder under %Temp% and then

executes a batch file named Coronavirus.bat. This batch

will move the extracted files to a C:\COVID-19 folder, con-

figuring various programs to automatically start on login,

and then restart Windows. Upon restarting, a picture of the

Coronavirus will be displayed along with a message stating

“coronavirus has infected your PC!” . Despite the fact that

the solution to reinstate the MBR to original version was

discovered using CTRL+ALT+ESC key combination, this

does not solve all the issues. An antivirus scan must be run

to scan the system and remove all files related to CoVi-

per. It is noteworthy that “Update.vbs” is designed to keep

CoViper up-to-date. Thus, CoViper must be immediately

removed in its entirely.

SilverSky is continuing work to confirm that our assump-

tions are correct, and that TAP can detect attacks using

this method.

4

Threat AnalysisThe following chart provides a breakdown of emails that were detected between March 1 – March 31, 2020 categorized

into the reasons for the detection.

Figure 1 - Categories for Suspicious and Malicious Email Detections in March: The breakdown of detections for this month

shows that there has been a significant rise in the number of detections using Google Safe Browsing. This is preponderant-

ly due to a large phishing campaign by threat actors making use of the viral disease known as Covid-19 to their advantage

which is discussed in further detail later in this report. Concurrently, an increase of detections in Suspicious URL’s is also

seen compared to last month as the result of Covid-19 attacks.

SUSP: Suspicious URL

MAL: Malicious URL

SUSP: Credential Phishing

MAL: Business Service Impersonation

MAL: Google Safe Browsing

SUSP: File Integrity Check

SUSP: Suspicious Attachment

SUSP: Suspicious Macro

SUSP: Encrypted Document

MAL: Malicious Attachment

MAL: Malicious Macro


MAL: Malicious URL











MAL: Malicious URL










17%

1%<1%

<1%

3%

5%

7%

3%

4%

3%

56%

<1%

2%

2% 2%

8%

1%

44%

30%

4%

UR

L

2%

<1%

4%

1%

44%

37%

2%2%

8%

UR

LU

RL

FILE

FILE

FILE


MAL: Malicious URL










UR

L

FILE

58%

<1%

5%

8%

2%

12%

11%

2%

1%

5

Detection Trends

The below graphs show the trends over time for both suspicious and malicious detections. In order to accommodate fluc-

tuations in the number of users, these graphs have been created to show the proportion of each threat type and how that

has changed over the past year as new capabilities are developed with each release and specific campaigns cause spikes

in activity.

Figure 2 – Detection of Suspicious Emails: This graph shows that over the last month detections for suspicious URLs have

declined slightly, offset by rises in file integrity checks and suspicious attachments. The significant increase in Suspicious

Attachment detection perceptible due to the trending Covid19 campaigns. URLs are one of the most common methods

used in phishing emails and as such the large number of emails being detected by this rule is not unexpected, especially

given the identification of several large spam campaigns.

Figure 3 – Detection of Malicious Emails: There has been a slight drop in the proportion of malicious macros, offset by

the rise in malicious credential phishing and malicious BSI. The sharp rise in Malicious Credential Phishing detected this

month, largely due to variety of phishing campaigns capitalized by threat actors on the spreading of Covid19 virus world-

wide. Spoofing tactics to effectively evade Microsoft Office 365 were also observed this month resulting from Covid19

campaigns. However, it should be noted that the proportion of Malicious Attachments continues to dominate steadily

from January which may be due to Emotet, Lokibot and Trickbot campaigns progressing.

0Mar Apr May Jun July Aug Sept Oct Nov Dec Jan Feb Mar

10

20

30

40

50

60

70

80

Malicious Credential Phishing Malicious Attachment Malicious Macro Malicious BSI

0Feb Mar Apr May Jun July Aug Sept Oct Nov Dec Jan Feb

10

20

30

40

50

60

70

80


0MarFeb Apr May Jun July Aug Sept Oct Nov Dec Jan

10

20

30

40

50

60

70

80


0

10

20

30

40

50

60

70

80

90

100

AprMar May Jun July Aug Sept Oct Nov Dec Jan Feb Mar

Suspect Credential Phishing Suspect File Integrity Check Susicious Attachment Suspicious Macro Suspicious URL

0

10

20

30

40

50

60

70

80

90

100



0

10

20

30

40

50

60

70

80

90

100



0

10

20

30

40

50

60

70

80

90

100

MarFeb Apr May Jun July Aug Sept Oct Nov Dec Jan Feb



10

20

30

40

50

60

70

80

90

100


0Jan Feb Mar Apr May Jun July Aug Sept Oct Nov Dec

10

20

30

40

50

60

70

80


0Mar Apr May Jun July Aug Sept Oct Nov Dec Jan Feb Mar

10

20

30

40

50

60

70

80


0Feb Mar Apr May Jun July Aug Sept Oct Nov Dec Jan Feb

10

20

30

40

50

60

70

80



10

20

30

40

50

60

70

80


0

10

20

30

40

50

60

70

80

90

100



0

10

20

30

40

50

60

70

80

90

100



0

10

20

30

40

50

60

70

80

90

100



0

10

20

30

40

50

60

70

80

90

100

MarFeb Apr May Jun July Aug Sept Oct Nov Dec Jan Feb



10

20

30

40

50

60

70

80

90

100


0Jan Feb Mar Apr May Jun July Aug Sept Oct Nov Dec

10

20

30

40

50

60

70

80


6

www.silversky.com

Contact Details: US: 1-800-234-2175 | E: [email protected], 4813 Emperor Boulevard, Suite 200Durham, North Carolina 27703linkedin.com/company/silversky | twitter.com/SilverSky

Copyright © BAE Systems plc 2020. All rights reserved. BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Applied Intelligence Limited registered in England & Wales (No.1337451) with its registered office at Surrey Research Park, Guildford, England, GU2 7RQ. No part of this document maybe copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of BAE Systems Applied Intelligence.

The SilverSky Email Protection Services SolutionThe SilverSky solution is fully integrated, tested, and comes

from a single vendor, at a fraction of the cost of going it

alone. We can serve as a trusted partner – and extension

of your information security and corporate operations

functions – to make meeting enterprise-grade message

security and compliance requirements simple, easy, and

cost-effective.

Unparalleled security, reliability, and compliance

Email Protection Services from SilverSky are reliable, with

fault-tolerant and geographically-distributed infrastructure,

and are backed by proven industry expertise.

Documents

Managed Detection & Response Managed Malicious Email ......The malicious email titled ‘Maersk COVID -19 update’ that contained Microsoft Excel document attachment de- signed to