In a recent attempt to spread malware, threat actors, posing as Indian government departments, are sending malicious emails to organizations. The email claims to be a follow up to a previous correspondence, and orders organizations to review the attachment and submit their plan of action to combat Coronavirus. The seemingly official language of the email content, makes it seem like a directive from the Home Ministry of India. This tactic coerces victims into opening the malware laced attachments immediately.
Although a fake email address, home.min@gov.in gives victims the impression of a legitimate mail address. However, the actual email address of the Ministry of Home Affairs ends in mha@nic.in. The email attachment titled Coronavirus_action_plan.docx, as reported by Subex, is found to drop malware into the victim’s system, once opened.
A similar incident was reported by Malwarebytes on 16 March, this year, when the alleged Pakistani state-sponsored threat actor group, APT36, posed as the Government of India to send Coronavirus health advisory emails with malicious attachments. Notably, this group is known for targeting the Indian government, its embassies and the defense system. The email attachment contained two malicious macros that dropped the CrimsonRAT payload, to steal credentials from browsers, capture screenshots, list running processes, directories, and drives, and more.
Decoy URLs |
email.gov.in.maildrive[.]email/?att=1579160420 |
email.gov.in.maildrive[.]email/?att=1581914657 | |
Decoy documents |
876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef165620da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a |
CrimsonRAT |
0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 |
b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748 | |
C2s |
107.175.64[.]209 |
64.188.25[.]205 |
This lure bears a stark similarity with the emergency response plan phishing email, in that: