HIV Test Phishing Campaign Targets Healthcare and Pharmaceutical Companies

Proofpoint researchers have discovered a new phishing campaign directed at healthcare organizations, insurance companies, and pharmaceutical firms. The intercepted emails imitate Vanderbilt University Medical Center and assert to contain recent HIV test results.

The subject line of the emails was “Test result of medical analysis.” A recipient must open an Excel spreadsheet attachment entitled TestResult.xlsb to see the HIV test findings. Upon opening the spreadsheet, the person is informed that the file is protected. In order to view the test result, the person must enable the content and upon doing so, the macros will run and download the malware onto the person’s computer.

This is a fairly small-scale campaign that the attacker used to spread the Koadic RAT. Network defenders and pen testers use the Koadic RAT program to seize control of a system. Proofpoint stated that Koadic is well-known among nation state-backed hacking organizations in China, Russia, and Iran. Koadic enables attackers to seize control of a computer, set up and run applications, and steal sensitive private and monetary information.

Proofpoint also intercepted a number of Coronavirus-themed phishing emails in the last couple of weeks which are being utilized for distributing a selection of malware variants such as the Emotet Trojan, the AgentTesla keylogger, AZORult information stealer, and the NanoCore RAT. A number of campaigns were discovered that utilize phony Office 365, DocuSign, and Adobe websites for collecting credentials.

A number of coronavirus-themed phishing baits were discovered. Many are claiming to provide more information regarding local COVID-19 incidents or claim to have crucial details to avoid infection. One campaign talked about a vaccine and a remedy for COVID-19, which the government is withholding. A number of the phishing emails are incredibly nicely written and are very convincing and imitate COVID-19 authorities like the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).

Checkpoint researchers were monitoring coronavirus-themed websites and found over 4,000 new coronavirus-themed domains registered beginning January 2020. 5% were suspicious domains. 3% of the verified malicious domains were being employed in distributing malware or for phishing campaigns.

Threat actors most often use supposed health data in their phishing baits because it prompts an emotional reaction that is notably effective in fooling potential victims to click open malicious file attachments or malicious hyperlinks. In case you receive an email message that claims to provide sensitive health-associated data, never open the file attachments. It is better to go directly to the patient portal of your medical provider, get in touch with your doctor, or book an appointment to straightaway verify any medical diagnosis or test outcomes.