State-sponsored coronavirus phishbait.
BAE Systems summarizes the APTs that are known to be using COVID-19-themed phishing lures to deliver various strains of malware. The threat actors include the Russia-aligned groups Sandworm and Gamaredon, the China-linked campaigns Operation LagTime and Mustang Panda, and the Pakistan-associated Transparent Tribe. Parties unknown have been impersonating the US Centers for Disease Control, pushing the Remcos RAT.
The Russian operators behind Gamaredon are impersonating the Ukrainian Foreign Ministry, delivering the Pterodo backdoor via malicious docx files. And the GRU's Sandworm is not to be left out—it’s spoofing Ukraine’s Ministry of Health to distribute a .NET backdoor.
Beijing's operators at Mustang Panda are using bogus news articles to push the Cobalt Strike stager. Operation LagTime IT, also a Chinese APT, is spoofing the Mongolian Ministry of Health to distribute a Poison Ivy stager.
The Pakistani operation Transparent Tribe (also known as APT36) is after Indian targets using malicious XLS files to deliver the Crimson remote access Trojan, all the while posing as an Indian training company. Malwarebytes has also seen a surge in coronavirus-themed phishing by Transparent Tribe, and they report the same deployment of the Crimson RAT against Indian targets.