In a recent attempt to spread malware, threat actors, posing as Indian government departments, are sending malicious emails to organizations. The email claims to be a follow up to a previous correspondence, and orders organizations to review the attachment and submit their plan of action to combat Coronavirus. The seemingly official language of the email content, makes it seem like a directive from the Home Ministry of India. This tactic coerces victims into opening the malware laced attachments immediately.
Although a fake email address, home.min@gov.in gives victims the impression of a legitimate mail address. However, the actual email address of the Ministry of Home Affairs ends in mha@nic.in. The email attachment titled Coronavirus_action_plan.docx, as reported by Subex, is found to drop malware into the victim’s system, once opened.
This lure bears a stark similarity with the emergency response plan phishing email, in that:
Although a fake email address, home.min@gov.in gives victims the impression of a legitimate mail address. However, the actual email address of the Ministry of Home Affairs ends in mha@nic.in. The email attachment titled Coronavirus_action_plan.docx, as reported by Subex, is found to drop malware into the victim’s system, once opened.
Similar phishing lure by APT36
A similar incident was reported by Malwarebytes on 16 March, this year, when the alleged Pakistani state-sponsored threat actor group, APT36, posed as the Government of India to send Coronavirus health advisory emails with malicious attachments. Notably, this group is known for targeting the Indian government, its embassies and the defense system. The email attachment contained two malicious macros that dropped the CrimsonRAT payload, to steal credentials from browsers, capture screenshots, list running processes, directories, and drives, and more.
Indicators of Compromise
Decoy URLs |
email.gov.in.maildrive[.]email/?att=1579160420 |
| email.gov.in.maildrive[.]email/?att=1581914657 | |
Decoy documents |
876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef165620da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a |
CrimsonRAT |
0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010 |
| b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748 | |
C2s |
107.175.64[.]209 |
| 64.188.25[.]205 |
- Both the emails are traced back to addresses that impersonate the Indian government,
- They have attachments that call for immediate attention and action, and
- These emails were sent to victims under the cover of Coronavirus.