In this attack, attackers impersonate the US Department of Health and Human Services in order to install malware on employees’ devices.
Platform: Office 365
Email Security Bypassed: Ironport
Mailboxes: 50,000 to 70,000
Payload: Java Network Launch Protocol (.jnlp) Attachment
Setup: The COVID-19 pandemic continues to cause widespread duress meaning any news of a vaccine is likely to pique the interest of recipients.
Email Attack: This attacker has altered their display name to appear as ‘health & human services’ and includes U.S. Department of Health & Human Services|HHS] [sic] in their signature in order to appear as a trustworthy source. This attack targets all employees at an organization; the email claims that the attached file contains information on vaccines in trial and where to receive vaccines nearby.
Payload: This attack’s payload is in the attachment of the email. If the recipient downloads and runs the file (.jnlp – Java Network Launching Protocol format) they are at risk of installing malware.
Result: If the recipients fall for this attack, they are at risk of losing control of their device as well as allowing attackers to access sensitive personal and organizational information.
Relevance: As the world continues to tackle COVID-19, vaccines are touted as the ‘cure-all’ for the pandemic. As a result, this email attack preys on individuals’ concerns and inherent curiosity, making it more likely that they will engage with the attack.
Impersonation: The attacker impersonates the US Department of Health and Human Services. Employees are more likely to engage and download an attachment from a ‘trustworthy, known’ source.
Undetected by Antivirus: The attached .jnlp file is a vehicle for the malware attack. These types of files are able to launch Java programs remotely and then install malware on the victim’s device. When the file is run through VirusTotal, it returns as safe – these types of attacks are especially dangerous since they can bypass antivirus software.
Abnormal is the email security company that stands for trust.
© 2020 Abnormal Security Corporation.
All rights reserved.