Between late March and mid-April 2020, IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered a phishing campaign targeting small businesses that appears to originate from the U.S. Government Small Business Administration (SBA.gov). The emails, which contain subjects and attachments related to the need for small businesses to apply for disaster relief loans or provide application status following the impact of the ongoing COVID-19 pandemic, ultimately deliver malware to those who open the attachments. These emails may coincide with a notification from the SBA regarding some small business loan applicants who potentially had their personally identifiable information (PII) exposed, possibly being used by cybercriminals to compose target lists.
On March 27, 2020, $376 billion in relief payments for workers and small businesses was allocated via the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The U.S. SBA and the Department of Treasury are the designated outlets for providing information and guidance on the implementation of the CARES programs, but with people looking out for their applications, these fake emails are evidence of malicious actors already exploiting reliance on digital updates, which many are expecting as they plan to receive the allocated federal aid.
Booby-Trapped Emails Deliver Concealed Payloads
The SBA-spoofing spam activity we analyzed includes several emails sent from late March to mid-April 2020. All emails contained multi-stage execution, starting with the GuLoader downloader to deliver the remote-access tool, Remcos RAT.
GuLoader is a malicious downloader that has been used extensively between 2019 and 2020 to deliver a variety of malware. Written in Visual Basic, this code’s main functionality is contained within encrypted shellcode that it decrypts and executes. In the cases we examined, the shellcode downloaded the encrypted payload from a hardcoded Google Drive URL and then decrypted and loaded it into a running instance of itself via process injection.
The downloaded binaries we examined are XOR decrypted using a hardcoded key extracted from the GuLoader. IRIS identified the downloaded binary as the credential-stealing malware Remcos RAT, version 2.5.0 Pro. In some of the GuLoader samples we analyzed, we found that the shellcode will download the encrypted payload from the URL hxxps[:]//cqjcc[.]org/builf2_encrypted_96DB6DF.bin, which is the same payload hosted on the Google Drive URLs.
A closer look at the Remcos RAT samples we found show that each binary stores its configuration as an RC4-encrypted resource named “SETTINGS”. The configuration can be extracted and decrypted using a script created by Cisco Talos. The Remcos RAT samples we decrypted contain several abilities, including the following:
- File management
- Screen grabbing
- Command execution
- C&C communication
- Webcam and microphone access
- Browser history and password scraping
Remcos RAT is a surveillance tool that poses as legitimate software and has previously been observed being used in global hacking campaigns. The access tool is described as a legal IT management software, but it has historically allowed malicious users to deliver malware discretely in order to surveil a targeted system.
Disaster Relief Email Samples Spoofing the SBA
The following sections give more specific information on the emails we found to be spoofing messages from the SBA, and the characteristics of the attachments they contained.
On March 23, 2020, an email was sent with the subject line, “Small Business Grant/Testing Centre Vouchers,” appearing to confirm that the status of an application was complete. The email instructs the recipient to sign and upload the attachment SBA_Disaster_Application_Confirmation_Document.img to the SBA website.
From the email sent on March 23, IRIS was able to find at least seven additional emails containing similar structure, subjects and lures. On April 2, 2020, two emails were sent to small businesses with the subject line “EXTERN: SBA Grant/Testing Centre Vouchers.” On April 6 and April 7, a total of three emails were sent to small businesses with the subject line “SBA Grant Application Status.”
Finally, an email was sent on April 16 with the subject line “SBA Grant/Testing Centre Vouchers.” All six emails contained the same content, confirming that the recipient’s submitted application was complete and instructing them to sign the attached, completed request for Transcript of Tax Return IRS form 4506-T. In addition, vouchers (disk image files) were also attached, with names such as:
On April 15, 2020, an eighth email was sent to a small business with the subject line “SBA Payroll Protection Program Status” and a different disk image file, SBA_Payroll_Protection_Application_Documents_Prom_Note_Benefi.exe.img, attached. The contents of this email informed the recipient that documents for the Paycheck Protection Program needed to be downloaded, signed and uploaded to the SBA portal.
At first glance, the emails appear to be sent from the email [email protected], but they are written with poor grammar and spelling. Examination of one of the emails’ headers revealed the return path to be that of a legitimate company’s German domain, which was likely compromised to send out this type of spam.
Examining the email attachments, IRIS found that they are Universal Disk Format (UDF) image files containing the malicious executable files that ultimately deliver the credential-stealing Remcos RAT.
GuLoader in Disk Image Files
The facilitator that downloads the delivered Remcos RAT in the samples we analyzed is the downloader GuLoader. We found that the .img UDF files, when decompressed, are GuLoader executables. When the user double clicks on the UDF attachment, it is mounted and presented in explorer as if it were a CD or disk. The enclosed executable then uses a PDF icon, so the user thinks they’re opening a PDF, but it’s actually a GuLoader executable. All GuLoader samples that we analyzed are UDF filesystem version 1.5 with a drive name of either SBA_Gov_CD or ADOBE_CD, and were extracted with the following file names:
The GuLoader files persist on infected devices by copying themselves to a sub-folder of the %USERPROFILE% directory. GuLoader will then generate a VB script file in the same folder with the functionality to execute the binary and then add this VBS file to the RunOnce registry key. For example, one of the analyzed GuLoader samples we saw copies itself to %USERPROFILE%\UNNAILEDFULF\Brystbenene6.exe. It then generated the VBS file C:\Users\[username]\UNNAILEDFULF\Brystbenene6.vbs, which contained the following code:
Set W = CreateObject(“WScript.Shell”)
Set C = W.Exec (“C:\Users\reuser\UNNAILEDFULF\Brystbenene6.exe”)
This VBS file is then added to the RunOnce registry key:
Note that the file paths and registry key names differ per sample.
The secondary payload was a binary of the Remcos RAT, paid version 2.5.0 Pro.
Malicious COVID-19-Themed Activity Continues to Rise
X-Force IRIS is following the continually rising scale of malicious activity riding the COVID-19 pandemic trend. Our team maintains ongoing updates on the subject on X-Force Exchange and on TruSTAR.
As small businesses throughout the U.S. are impacted by the commercial effects of the ongoing COVID-19 pandemic, cybercriminals are trusting that people will be on the lookout for information regarding relief payments and more likely to open unsolicited emails purporting to come from relevant entities. The suspicious emails uncovered by X-Force are evidence of actors exploiting the reliance of individual users and small businesses on digital updates to obtain guidance on how to receive federal aid.
As the pandemic situation continues to unfold, it is highly likely that we will see additional malicious cyber actors conducting related campaigns, given the public’s interest in government relief and the large amount of federal funding allocated for relief during the COVID-19 crisis.
Indicators of Compromise (IoCs)
|File name||MD5 Hash||Description|