Hackers are using fake HIV test results as a lure to infect computers and steal personal data in a newly exposed phishing campaign, security researchers say.
The email-based attacks contain an open-source remote access tool that has previously been tied to state-sponsored groups linked to China and Russia, Sherrod DeGrippo, senior director of the threat research and detection team at cyber outfit Proofpoint, explained in a blog post today.
The culprits, who remain unidentified, spew out emails while impersonating the Vanderbilt University Medical Center, a hospital based in Nashville, Tennessee.
The booby-trapped messages contain Koadic, which is a penetration testing tool that can also be abused to sneak onto victim computers and steal files.
“If successful and Koadic is installed, attackers can run programs and access victims’ data including sensitive personal and financial information,” DeGrippo warned.
Proofpoint published an image of the hackers’ spam email in its analysis, showing how it came with the subject line: “Test result of medical analysis.”
The text body of the email was brief and to-the-point, urging the recipient to open a malicious Microsoft Excel file posing as the results of an HIV test. If the victim chose to enable macros, as requested by a pop-up on their screen, the document would then immediately download Koadic.
“Originally Koadic was intended as an open-source tool for network defenders and allows the actor to take complete control over a user’s system,” DeGrippo wrote.
“In recent years it has been used by a variety of nation-state actors including both Chinese and Russian state-sponsored groups, as well as attackers associated with Iran.” In this case, there was no specific group ascribed to the campaign, which was described as being “low volume.”
In 2018, Palo Alto Networks suggested the same hacking tool had been used by Sofacy Group, which is a Russian hacking unit also known as Fancy Bear, Tsar Team and Pawn Storm.
“Sofacy group has leveraged open source or freely available tools and exploits in the past but this is the first time that Unit 42 has observed them leveraging the Koadic toolkit,” its report said.
Fancy Bear, or APT 28, was linked to the cyberattacks in the U.S. as part of Russia’s election meddling attempts during the 2016 presidential election, experts say.
Previously, experts found evidence that online crooks were using the novel coronavirus (COVID-19) as a phishing lure, attempting to exploit fears surrounding the ongoing outbreak.
“This latest campaign serves as a reminder that health-related lures didn’t start and won’t stop with the recent coronavirus-themed lures we observed,” DeGrippo noted in the Proofpoint blog post. “They are a constant tactic as attackers recognize the utility of the ‘scare factor.'”
The researcher added: “We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information.
“Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in-person. If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis.”