X-Industry

Previously, Red Sky Alliance reported on Fancy Bear imposters demanding Bitcoin ransom from a Florida election information website.  These actors send various ransom/scam demands using coronavirus-themed domains covidpapers[.]org and coronaxy[.]com.  In some cases, they threaten with exposure of allegedly hacked personal files, in other cases, with DDoS attack.  They often claim to be Russian government hackers, pretending to be Fancy Bear, Cozy Bear, or Venomous Bear.   Their ransom emails typically do not include actual viruses, which allows them to avoid certain antivirus protections.

Details

On 29 October 2020, Red Sky Alliance issued an alert on Fancy Bear Imposters trying to extort and threatening to take down a website related to the 2020 US Presidential Elections.[1]  In this report, we will look deeper into various attacks using the same infrastructure. Given one of the domains these attackers are using (covidpapers[.]org) and their actions (being imposters for Fancy Bear and other APT), we will be calling them Covidpapers Imposters.

Extorting Florida Voter-Related Website

Red Sky Alliance detected a ransom note sent on October 24, 2020 (Figure 1).  This note is directed to a Florida county Supervisor of Elections (SOE).  The impersonator claims that the county site showing voting information will be taken down one day before the US Presidential Election if not paid.  The letter demands $1,100 being sent to the Bitcoin address:

“The current fee is $1100(USD) in Bitcoins (BTC). The fee will increase by 1000 USD for each day after 2020 November 2nd that has passed without payment. Please send Bitcoin to the following Bitcoin address (cAsE-SeNsitIve): 19jzN84BmswK9FbxD9QYsKCSZiukRN9ehL”.[2]

The email also says there will be a smaller 30 minutes DDoS attack on the website to prove they are capable of a DDoS (Figure 1).

Figure 2. Fancy Bear impersonation DDoS note sent to a US county Supervisor of Elections (SOE)

Despite the threat, the website was still accessible the day before the November US Presidential Election.

Coronavirus-Themed Domains and Bitcoin Addresses

The rDDoS (ransom DDoS) email to the voting site was sent from covidpapers[.]org.  While analyzing the Covidpapers Imposters malicious infrastructure we detected many similar ransom/scam notes sent from this domain and from a similar coronavirus-themed domain coronaxy[.]com.

While the attacks coming from these domains are scam, some of the connected IP addresses are seen serving malware: 185.183.98.14 and 185.117.73.59 (both are AS 60117, Host Sailor Ltd., Netherlands).

At the end of this report, we attached various indicators regarding Covidpapers Imposters: domains, IPs, hashes, emails, and Bitcoin addresses.  The observed attacks had unique sending emails (with either of the two sending domains).  In case of the Bitcoin addresses, they were also mostly unique, but we detected a rare case when the same Covidpapers Imposters Bitcoin address was reused in two different attacks.

Three Types of Scam

The voter-related site described above, and several other domain owners were hit by Covidpapers Imposters with ransom DDoS notes.

Other website owners received a ransom/scam note from Covidpapers Imposters claiming their site was hacked and threatening to leak personal files.

Finally, another scam from Covidpapers Imposters is not specifically targeting domain/site owners, but generally states that the receiver of the email was hacked and needs to pay them in Bitcoins:

“[…]== PLEASE TAKE THIS SERIOUSLY[…]==

If you think corona was a big threat for you, think again...

Your device was not properly secured and we have managed to access your accounts and get private, sensitive and confidential information about you.

We have downloaded full list of your contacts from social networks and e-mail, as well as your passwords, browsing history, private photos and videos.[…]

If you don't believe us, take a look at this report:

hxxp://covidpapers[.]org/zip/anya.r[..]@camelotgroup.co.uk

track=MT[…]jw

[…] we have inserted our code on one of the websites that you have visited and then used WebAssembly flaw to take control of your device.

It is similar technique to Heartbleed or Shellshock, […]

Just think about it - we will be able to publish your sensitive data (like photos, videos or passwords) online, send it to your contacts (wife, boss, collegues, friends, etc.) and/or sell it on a d@rknet.”[3]

Testing All Kinds of Bears (Impersonating Russian APT)

While in the last example listed above Covidpapers Imposters did not say they are a Bear (A Russian APT: government-connected hacker), in most of the other observed cases they did:

After impersonating Fancy Bear on 24 October 2020, in the following days the same actors were seen in similar rDDoS attempts impersonating another Russian APT group, Cozy Bear:

“We are the Cozy Bear and we have chosen your company as target for our next DDoS attack. Please perform a google search for "Cozy Bear" to have a look at some of our previous work. Your network will be subject to a DDoS attack starting at 2020 November 2nd (Monday). THIS IS NOT A JOKE, and to prove it right now we will start a small attack on www.[…].com that will last for 30 minutes. It will not be heavy attack, at this moment.”

Yet in another case, Covidpapers Imposters reused the same Bitcoin address while impersonating different groups. On 27 October 2020, they pretended to be Cozy Bear, and the next day they followed with another rDDoS attack featuring the same Bitcoin address, but now claiming to be Venomous Bear:

“We are the Venomous Bear and we have chosen your company as target for our next DDoS attack.”[4]

Conclusion

Covidpapers Imposters try to pretend to be Russian APT, but their TTPs does not match.  They experiment with various cyber-related scams, and as their emails may avoid detection, they can take advantage of the users who are now worried about the possibility of being hacked.

Indicators

Download in CSV format: IR-20-318-002_Covidpapers Extort Leveraging DDoS.csv

Serial: IR-20-318-002

Country: US, NL, RO

Report Date: 2020132020

Industries: Political, All 

Red Sky Alliance has been tracking hacker threats for the past 7 years.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Red Sky Alliance can help protect with attacks such as these.  We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

https://www.wapacklabs.com/redxray

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

[1] https://redskyalliance.org/xindustry/fancy-bear-imposters-us-election “Fancy Bear Imposters Targeted US Election Information, Other Websites”

[2] virustotal.com/gui/file/e41fe685a98a7284eb80eb6eebf4dd3efac6461d6198cdcb059fce5c8ab3b5dc/

[3] virustotal.com/gui/file/316ba12d41a4e681f768a02b42514d33d0c02b3dbaeaf009834282b0d22a2236/content/

[4] Bitcoinabuse.com/reports/1F47gsp9yzPhEGNxjFAJHMYr26VBzMsMPH