Covidpapers Extort Leveraging DDoS and Exposure Fears

8157844870?profile=RESIZE_400xPreviously, Red Sky Alliance reported on Fancy Bear imposters demanding Bitcoin ransom from a Florida election information website.  These actors send various ransom/scam demands using coronavirus-themed domains covidpapers[.]org and coronaxy[.]com.  In some cases, they threaten with exposure of allegedly hacked personal files, in other cases, with DDoS attack.  They often claim to be Russian government hackers, pretending to be Fancy Bear, Cozy Bear, or Venomous Bear.   Their ransom emails typically do not include actual viruses, which allows them to avoid certain antivirus protections.

Details

On 29 October 2020, Red Sky Alliance issued an alert on Fancy Bear Imposters trying to extort and threatening to take down a website related to the 2020 US Presidential Elections.[1]  In this report, we will look deeper into various attacks using the same infrastructure. Given one of the domains these attackers are using (covidpapers[.]org) and their actions (being imposters for Fancy Bear and other APT), we will be calling them Covidpapers Imposters.

Extorting Florida Voter-Related Website

Red Sky Alliance detected a ransom note sent on October 24, 2020 (Figure 1).  This note is directed to a Florida county Supervisor of Elections (SOE).  The impersonator claims that the county site showing voting information will be taken down one day before the US Presidential Election if not paid.  The letter demands $1,100 being sent to the Bitcoin address:

“The current fee is $1100(USD) in Bitcoins (BTC). The fee will increase by 1000 USD for each day after 2020 November 2nd that has passed without payment. Please send Bitcoin to the following Bitcoin address (cAsE-SeNsitIve): 19jzN84BmswK9FbxD9QYsKCSZiukRN9ehL”.[2]

The email also says there will be a smaller 30 minutes DDoS attack on the website to prove they are capable of a DDoS (Figure 1).

Figure 2. Fancy Bear impersonation DDoS note sent to a US county Supervisor of Elections (SOE)

Despite the threat, the website was still accessible the day before the November US Presidential Election.

Coronavirus-Themed Domains and Bitcoin Addresses

The rDDoS (ransom DDoS) email to the voting site was sent from covidpapers[.]org.  While analyzing the Covidpapers Imposters malicious infrastructure we detected many similar ransom/scam notes sent from this domain and from a similar coronavirus-themed domain coronaxy[.]com.

While the attacks coming from these domains are scam, some of the connected IP addresses are seen serving malware: 185.183.98.14 and 185.117.73.59 (both are AS 60117, Host Sailor Ltd., Netherlands).

At the end of this report, we attached various indicators regarding Covidpapers Imposters: domains, IPs, hashes, emails, and Bitcoin addresses.  The observed attacks had unique sending emails (with either of the two sending domains).  In case of the Bitcoin addresses, they were also mostly unique, but we detected a rare case when the same Covidpapers Imposters Bitcoin address was reused in two different attacks.

Three Types of Scam

The voter-related site described above, and several other domain owners were hit by Covidpapers Imposters with ransom DDoS notes.

Other website owners received a ransom/scam note from Covidpapers Imposters claiming their site was hacked and threatening to leak personal files.

Finally, another scam from Covidpapers Imposters is not specifically targeting domain/site owners, but generally states that the receiver of the email was hacked and needs to pay them in Bitcoins:

“[…]== PLEASE TAKE THIS SERIOUSLY[…]==

If you think corona was a big threat for you, think again...

Your device was not properly secured and we have managed to access your accounts and get private, sensitive and confidential information about you.

We have downloaded full list of your contacts from social networks and e-mail, as well as your passwords, browsing history, private photos and videos.[…]

If you don't believe us, take a look at this report:

hxxp://covidpapers[.]org/zip/anya.r[..]@camelotgroup.co.uk

track=MT[…]jw

[…] we have inserted our code on one of the websites that you have visited and then used WebAssembly flaw to take control of your device.

It is similar technique to Heartbleed or Shellshock, […]

Just think about it - we will be able to publish your sensitive data (like photos, videos or passwords) online, send it to your contacts (wife, boss, collegues, friends, etc.) and/or sell it on a d@rknet.”[3]

 

Testing All Kinds of Bears (Impersonating Russian APT)

While in the last example listed above Covidpapers Imposters did not say they are a Bear (A Russian APT: government-connected hacker), in most of the other observed cases they did:

After impersonating Fancy Bear on 24 October 2020, in the following days the same actors were seen in similar rDDoS attempts impersonating another Russian APT group, Cozy Bear:

We are the Cozy Bear and we have chosen your company as target for our next DDoS attack. Please perform a google search for "Cozy Bear" to have a look at some of our previous work. Your network will be subject to a DDoS attack starting at 2020 November 2nd (Monday). THIS IS NOT A JOKE, and to prove it right now we will start a small attack on www.[…].com that will last for 30 minutes. It will not be heavy attack, at this moment.”

Yet in another case, Covidpapers Imposters reused the same Bitcoin address while impersonating different groups. On 27 October 2020, they pretended to be Cozy Bear, and the next day they followed with another rDDoS attack featuring the same Bitcoin address, but now claiming to be Venomous Bear:

“We are the Venomous Bear and we have chosen your company as target for our next DDoS attack.”[4]

Conclusion

Covidpapers Imposters try to pretend to be Russian APT, but their TTPs does not match.  They experiment with various cyber-related scams, and as their emails may avoid detection, they can take advantage of the users who are now worried about the possibility of being hacked.

Indicators

Download in CSV format: IR-20-318-002_Covidpapers Extort Leveraging DDoS.csv

Indicator

Type

Kill_Chain_Phase

First_Seen

Last_Seen

Comments

Attribution

15KJkDsa45DU9QG4KcNdprUy9RM18RBBpc

String

Delivery

11/06/2020

11/06/2020

rDDoS: Bitcoin address. Cozy Bear Imposters

Covidpapers Imposters

rasmus-myers@covidpapers.org

Email

Delivery

11/06/2020

11/06/2020

Blackmail Scam Your Website Was Hacked

Covidpapers Imposters

covidpapers[.]org

Domain

Delivery

10/24/2020

11/06/2020

rDDoS. Imposters. Scam

Covidpapers Imposters

server.covidpapers[.]org

Domain

Delivery

10/24/2020

11/06/2020

rDDoS. Imposters. Scam

Covidpapers Imposters

185.106.122.228

IP

Delivery

10/26/2020

11/03/2020

rDDoS. Imposters

Covidpapers Imposters

185.11.145.5

IP

Delivery

10/26/2020

10/26/2020

Scam

Covidpapers Imposters

185.183.98.14

IP

Delivery

09/15/2020

09/22/2020

Serving scam and malware

Covidpapers Imposters

185.117.73.59

IP

Delivery

09/18/2020

11/11/2020

Serving scam and malware

Covidpapers Imposters

vps.covidpapers[.]org

Domain

Delivery

09/15/2020

09/22/2020

Scam

Covidpapers Imposters

hxxp://185.183.98[.]14/abcfont.dll

URL

Delivery

09/15/2020

09/22/2020

Trojan.Trick

 

coronaxy[.]com

Domain

Delivery

10/27/2020

11/05/2020

rDDoS. Imposters. Scam

Covidpapers Imposters

dedi.coronaxy[.]com

Domain

Delivery

10/27/2020

11/05/2020

rDDoS. Imposters. Scam

Covidpapers Imposters

185.198.58.92

IP

Delivery

10/27/2020

11/03/2020

rDDoS. Imposters. Scam

Covidpapers Imposters

e41fe685a98a7284eb80eb6eebf4dd3efac6461d6198cdcb059fce5c8ab3b5dc

SHA256

Delivery

10/24/2020

10/24/2020

rDDoS email from Fancy Bear Imposters

Covidpapers Imposters

316ba12d41a4e681f768a02b42514d33d0c02b3dbaeaf009834282b0d22a2236

SHA256

Delivery

10/24/2020

10/24/2020

scam hacking ransom email

Covidpapers Imposters

71750b74e18430ccef5a87c2e39ead7bea0c07ac7ae48ac873d38d231974bb4d

SHA256

Delivery

11/03/2020

11/03/2020

rDDoS email from Fancy Bear Imposters

Covidpapers Imposters

ace872e8cefc0891b36538ca9f5980b6f66bfd786365eb9f9f93e6105d1ddf10

SHA256

Delivery

10/27/2020

10/27/2020

rDDoS email from Cozy Bear Imposters

Covidpapers Imposters

albertrivera@coronaxy.com

Email

Delivery

11/02/2020

11/02/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

19GBGuXAfFFG3mSBPeYiFRtp7NASc4PWCH

String

Delivery

11/02/2020

11/02/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

jude_hernandez@covidpapers.org

Email

Delivery

10/27/2020

10/27/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

1nTMFPKKJQ32SvS9dgxJWtbK98PJ5cjJi

String

Delivery

10/27/2020

10/27/2020

rDDoS: Bitcoin address. Cozy Bear Imposters

Covidpapers Imposters

jeffrey_anderson@covidpapers.org

Email

Delivery

10/24/2020

10/24/2020

Hacking ransom scam

Covidpapers Imposters

12Z95gVqSmawDRAdC6PeUeKx4AeLSBknNx

String

Delivery

10/24/2020

10/24/2020

Hacking ransom scam

Covidpapers Imposters

adrian_myers@covidpapers.org

Email

Delivery

10/24/2020

10/24/2020

Targeting election-related website. rDDoS email from Fancy Bear Imposters

Covidpapers Imposters

19jzN84BmswK9FbxD9QYsKCSZiukRN9ehL

String

Delivery

10/24/2020

10/24/2020

Targeting election-related website. rDDoS email from Fancy Bear Imposters

Covidpapers Imposters

1LuTrhYV85QBsbkL9spUpPFs1y9BfrPYoJ

String

Delivery

10/26/2020

10/26/2020

rDDoS: Bitcoin address. Cozy Bear Imposters

Covidpapers Imposters

1QK4JambdtybVFFcWVSZoMQWnvgfT33oZ7

String

Delivery

10/25/2020

10/25/2020

Blackmail Scam Your Website Was Hacked

Covidpapers Imposters

logan_peterson@covidpapers.org

Email

Delivery

10/25/2020

10/25/2020

Blackmail Scam Your Website Was Hacked

Covidpapers Imposters

jacob.turner@covidpapers.org

Email

Delivery

10/25/2020

10/25/2020

Blackmail Scam Your Website Was Hacked

Covidpapers Imposters

1HfqfM7FWAcUrDwVivQcocSxkAMdq8V8HV

String

Delivery

10/25/2020

10/25/2020

Blackmail Scam Your Website Was Hacked

Covidpapers Imposters

walter.carter@covidpapers.org

Email

Delivery

10/25/2020

10/25/2020

Blackmail Scam Your Website Was Hacked

Covidpapers Imposters

1GvrKZNdR2FbXtN1ETgmqao659Czoq446R

String

Delivery

10/26/2020

10/26/2020

rDDoS: Bitcoin address. Cozy Bear Imposters

Covidpapers Imposters

edward.martinez@coronaxy.com

Email

Delivery

10/27/2020

10/27/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

1CZdqcsf8fmVCrdWt6GdyxtSZjWGomRYd4

String

Delivery

10/27/2020

10/27/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

jerry-cook@coronaxy.com

Email

Delivery

10/28/2020

10/28/2020

rDDoS. Fancy Bear Imposters

Covidpapers Imposters

16rNACx8frgupmnZGPkgka3nYtZENm23qP

String

Delivery

10/28/2020

10/28/2020

rDDoS. Fancy Bear Imposters

Covidpapers Imposters

daniel-carter@coronaxy.com

Email

Delivery

10/28/2020

10/28/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

13ngD984Cc2KrG9aH8cRSwok95fNPjnqD2

String

Delivery

10/28/2020

10/28/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

patrick-wilson@coronaxy.com

Email

Delivery

10/27/2020

10/27/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

15vMyLZ5qZUxTkBWHGWuce9McqV4JaUW2q

String

Delivery

10/27/2020

10/27/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

eugenemitchell@coronaxy.com

Email

Delivery

10/28/2020

10/28/2020

scam. Fancy Bear Imposters

Covidpapers Imposters

1DJ4Ng8FdDwLRsGTAJZ2ApLcaaoXrvEVVk

String

Delivery

10/28/2020

10/28/2020

scam. Fancy Bear Imposters

Covidpapers Imposters

tony.moore@coronaxy.com

Email

Delivery

10/28/2020

10/28/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

16uUBcwHdFUvLFuZcJiM5QUqAavW16n283

String

Delivery

10/28/2020

10/28/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

danny.martin@coronaxy.com

Email

Delivery

10/27/2020

10/27/2020

rDDoS. Cozy Bear Imposters

Covidpapers Imposters

1F47gsp9yzPhEGNxjFAJHMYr26VBzMsMPH

String

Delivery

10/27/2020

10/28/2020

rDDoS. Cozy Bear and Venomous Bear Imposters

Covidpapers Imposters

 

Serial: IR-20-318-002

Country: US, NL, RO

Report Date: 2020132020

Industries: Political, All 

Red Sky Alliance has been tracking hacker threats for the past 7 years.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

 

Red Sky Alliance can help protect with attacks such as these.  We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

https://www.wapacklabs.com/redxray

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

 

 

[1] https://redskyalliance.org/xindustry/fancy-bear-imposters-us-election “Fancy Bear Imposters Targeted US Election Information, Other Websites”

[2] virustotal.com/gui/file/e41fe685a98a7284eb80eb6eebf4dd3efac6461d6198cdcb059fce5c8ab3b5dc/

[3] virustotal.com/gui/file/316ba12d41a4e681f768a02b42514d33d0c02b3dbaeaf009834282b0d22a2236/content/

[4] Bitcoinabuse.com/reports/1F47gsp9yzPhEGNxjFAJHMYr26VBzMsMPH

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!