Threat group dons Covid guise for cyber-attack

News by Chandu Gopalakrishnan

Nation-state threat groups have joined cyber-criminals and phishing cartels in using the Covid-19 scare for targeted attacks.

Nation-state threat groups have joined cyber-criminals and phishing cartels in using the Covid-19 (Coronavirus) scare for targeted attacks.

APT36, believed to be a Pakistani state sponsored threat actor, was found using a Covid-19 health advisory document to spread a remote administration tool (RAT), targeting India’s defence and foreign service departments, found Malwarebytes researchers.

“APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defence, embassies and the government of India by performing cyber-espionage operations with the intent of collecting sensitive information that supports Pakistani military and diplomatic interests,” said the Malwarebytes blog post on the discovery.

The researchers vouch for the capabilities of the ATP.

“Indeed, APT36 is capable of performing cyber-espionage operations, but their TTPs and toolsets are not as sophisticated as Russian, Chinese, North Korean or Iranian actors,” Jérôme Segura, director of threat intelligence at Malwarebytes, told SC Media UK.

The group is also known as Transparent Tribe, ProjectM, Mythic Leopard and TEMP.Lapis and has been active since 2016, said the blog post. In this coronavirus-themed attack, the group used a spear-phishing email with a fake government of India link.

“We looked at the previous phishing campaigns related to this APT and we can confirm this is a new phishing pattern they started to use. The names used for directories and functions are likely Urdu names,” said the blog post.

However, the researchers were not able to pinpoint the targets of this particular campaign.

“It seems the actor is targeting users of the government of India's website ( and therefore this attack could affect all departments of the Indian government,” Segura said.

State-sponsored espionage campaigns using Covid-19 / Coronavirus themed lures in phishing emails have been spotted since January, said Jens Monrad, head of mandiant threat intelligence - EMEA at FireEye.

“By lures we mean email attachments and links that look like they are genuine, but are in fact malicious. This activity has increased since January as more nations are dealing with infections. Some of the malware campaigns we have observed are responsible for a large volume of spam and phishing emails as well as being used to deliver ransomware (ie Emotet, Trickbot, Nanocore, AZORult, FormBook, Remcos RAT and AgentTesla).” he said.

APT36 has used many different malware families in the past, mostly remote administration tools such as BreachRAT, DarkComet, and Luminosity RAT or njRAT, said the Malwarebytes blog.

During their past campaigns, they were able to compromise networks of the Indian military and government and stole sensitive data including army strategy and training documents, tactical documents, and other official letters. 

Trend Micro researchers David Sancho and Feike Hacquebord in 2016 discovered three open directories commandeered by the ATP group, which contained more than 16 GB worth of data, majority of which belonged to officers of the Indian army.

With the pandemic sweeping across the world, global organisations and government departments are instructing their employees to work remotely. However, offering this option without adequate cyber-security has inadvertently opened opportunities for cyber-criminals.

There are several things that organisations can do to better protect their environments from threats as they adapt to a remote and distributed workforce as the pandemic spreads across the world, said Matt Shelton, director, technology risk and threat intelligence at FireEye. 

“Accessing corporate resources remotely creates an opportunity for attackers to blend in with the workforce. Implementing multi-factor authentication (MFA) on all external corporate resources significantly reduces this risk.”

Deploying a multi-layer endpoint agent on all employee endpoints to detect, protect, and respond to malicious activity, ensuring timely logs from cloud providers and its regular review helps organisations spot and curb unauthorised access and data exfiltration, he explained.

The key is to remain vigilant about socially engineered campaigns and disinformation related to the coronavirus, said Monrad.

“People should use government trusted sources for any information related to the current situation and, in the cases where they receive coronavirus related emails and were not expecting them, they should carefully examine why they are receiving them and consider not engaging with the emails.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews