Microsoft warns COVID-19 phishing to spread info-stealing malware

Microsoft has discovered a new recent phishing campaign, COVID-19, which uses economic considerations to fight against companies that use the LokiBot Trojan to steal information.

In a tweet published today by Microsoft Security Intelligence, Microsoft explains that a phishing campaign was recently discovered in which the COVID 19 bait was used to distribute a LokiBot Trojan stealing information.

If the LokiBot is infected, it steals connection data stored in different browsers, FTP, e-mail and terminal programs and sends it back to the attacker’s server, where it can be retrieved later.

Microsoft was able to detect the attack using Microsoft Threat Protection’s self-learning algorithms, and all clients with Microsoft Defender were automatically protected.

Phishing campaigns use KOVID-19 bait

According to Microsoft, the two new phishing campaigns used COVID-19 to entice recipients to open malicious attachments.

The first phishing email Microsoft has seen illustrates how cybercriminals follow the latest news and move their bait to the companies that care most about what bothers them.

In this letter, the threat actors present themselves as CDC representatives with the latest information on the virus and the new business plan for disease control and prevention to be launched in 2020.

Microsoft warns COVID-19 phishing to spread info-stealing malware

The second letter follows the more common COVID-19 bait, which claims to be a vendor and asks for updated bank details to process the payments.

Microsoft warns COVID-19 phishing to spread info-stealing malware

Both emails contain ARJ inserts that contain executable files disguised as PDF files.

ARJ files are archive files that some scanners ignore when scanning, especially if a password is used to encrypt them. Microsoft Defender and Office 365 scan these files when they are sent by e-mail, and they are scanned when the file is downloaded or unpacked, BleepingComputer said in an e-mail to Tanmay Ganacharya, director of security research at Microsoft Threat Protection.

If the victim tries to open the attached files, he is infected by the LokiBot-Trojan and the passwords of the browser and the applications stored there are collected and filtered.

Microsoft Defender’s advanced detection technologies, including behavioral and machine learning, immediately began to block this attack. We used a more in-depth analysis of the blocked attacks, which allowed us to define a comprehensive campaign in detail, says Ganacharya.

Machine learning plays an important role

Using signals received through the Microsoft Intelligent Security Graph, Microsoft is able to pick up trillions of signals from the behavior of programs, scan engines, customers and partners and integrate them into machine learning algorithms to detect new threats.

We see many advantages in the use of machine learning, and we are in a very unique position here at Microsoft because of the quality and variety of our 8.2 trillion signals we process every day using the Microsoft Intelligent Security Graph, Ganacharya said.

Although anyone can create machine learning models, the quality of the learning set and the labeled data we have determines the quality of the output of these models and is a unique strength of Microsoft.

The quality of the machine learning models is an important distinguishing factor because these models help to capture the latest types of malware and the latest attack techniques. As intruders change their bait and charge to exploit our fears and desire for information regarding KOWID-19, this is particularly important.

Mr. Ganacharina concluded that we have invested heavily in adding machine learning systems to Defender, including setting rules of conduct, scanning memory, collecting metadata and related file details, and using these signals in our client-side and cloud-based machine learning models to ensure protection for everyone, including zero patients.

Microsoft’s machine learning algorithms have also been used in the past to stop a large-scale hunting attack that attempted to use the LokiBot payload in July 2019.