Between late March and mid-April 2020, IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered a phishing campaign targeting small businesses that appears to originate from the U.S. Government Small Business Administration (SBA.gov). The emails, which contain subjects and attachments related to the need for small businesses to apply for disaster relief loans or provide application status following the impact of the ongoing COVID-19 pandemic, ultimately deliver malware to those who open the attachments. These emails may coincide with a notification from the SBA regarding some small business loan applicants who potentially had their personally identifiable information (PII) exposed, possibly being used by cybercriminals to compose target lists.
On March 27, 2020, $376 billion in relief payments for workers and small businesses was allocated via the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The U.S. SBA and the Department of Treasury are the designated outlets for providing information and guidance on the implementation of the CARES programs, but with people looking out for their applications, these fake emails are evidence of malicious actors already exploiting reliance on digital updates, which many are expecting as they plan to receive the allocated federal aid.
Booby-Trapped Emails Deliver Concealed Payloads
The SBA-spoofing spam activity we analyzed includes several emails sent from late March to mid-April 2020. All emails contained multi-stage execution, starting with the GuLoader downloader to deliver the remote-access tool, Remcos RAT.
GuLoader is a malicious downloader ..
Support the originator by clicking the read the rest link below.
