Threat actors pose as Indian govt. to spread malware laced COVID email attachments

The email orders organizations to review the attachment and submit their plan of action to combat Coronavirus, much similar to APT36’s pattern of attack.

Share this Intel:

In a recent attempt to spread malware, threat actors, posing as Indian government departments, are sending malicious emails to organizations. The email claims to be a follow up to a previous correspondence, and orders organizations to review the attachment and submit their plan of action to combat Coronavirus. The seemingly official language of the email content, makes it seem like a directive from the Home Ministry of India. This tactic coerces victims into opening the malware laced attachments immediately.

phishing email

Although a fake email address, home.min@gov.in gives victims the impression of a legitimate mail address. However, the actual email address of the Ministry of Home Affairs ends in mha@nic.in. The email attachment titled Coronavirus_action_plan.docx, as reported by Subex, is found to drop malware into the victim’s system, once opened. 

Similar phishing lure by APT36

A similar incident was reported by Malwarebytes on 16 March, this year, when the alleged Pakistani state-sponsored threat actor group, APT36, posed as the Government of India to send Coronavirus health advisory emails with malicious attachments. Notably, this group is known for targeting the Indian government, its embassies and the defense system. The email attachment contained two malicious macros that dropped the CrimsonRAT payload, to steal credentials from browsers, capture screenshots, list running processes, directories, and drives, and more. 

COVIDlure

 

Indicators of Compromise

 

Decoy URLs
email.gov.in.maildrive[.]email/?att=1579160420
email.gov.in.maildrive[.]email/?att=1581914657
Decoy documents
876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef165620da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a
CrimsonRAT
0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010
b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748
C2s
107.175.64[.]209
64.188.25[.]205

 

This lure bears a stark similarity with the emergency response plan phishing email, in that:

  • Both the emails are traced back to addresses that impersonate the Indian government, 
  • They have attachments that call for immediate attention and action, and 
  • These emails were sent to victims under the cover of Coronavirus.

Be informed about these Threats in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about these threats first in your inbox.