G Data warns of an active spam campaign: Alleged corona health and safety rules contain malware. Criminals are currently sending a document with allegedly changed corona occupational safety rules. The mail is disguised as information from the Ministry of Health.
An email allegedly from the Federal Ministry of Health contains a downloader for malware. The file attachment with the name "Bund-Arbeitsschutzregel-Corona-September.zip" allegedly contains a document with updated and now binding rules for infection protection at the workplace. The text of the mail allows the conclusion that companies are primarily the target group. For this reason, companies currently need to be particularly careful when supposed emails from authorities end up in their mailboxes. We are aware of reports of currently active infections.
"The corona pandemic is still causing a lot of uncertainty - and the mixture of a lot of home office and hygiene rules in the workplace actually poses great challenges for employers," says Tim Berghoff, Security Evangelist at G DATA CyberDefense. “For this very reason, those responsible should take a very close look and only trust official sources. Because an infection with malware is even less useful for companies at the moment than it already is."
Attackers take advantage of the ignorance of employees and companies
The text of the mail indicates a meeting between EU health ministers at which the updated regulations were revised. It might even be true that such a meeting took place - however, such information is usually not sent by e-mail from the ministries, but published on a separate portal. There is no proactive mailing.
Furthermore, the e-mail text refers to a meeting that took place "today". There are also some character errors in the mail, especially the letters U, W, C and D as well as umlauts. The email also contains an incorrect sender address that refers to “bundesministerium-gesundheit.com” – but this domain does not belong to the Ministry of Health. The address mentioned in the email text "[email protected]” is actually correct.
A well-designed spam campaign is particularly helpful in the first place
In order to protect themselves against malware infection from an e-mail from such a spam campaign, companies and private individuals should obtain all information about the COVID19 pandemic and the corresponding protective measures exclusively from official sources. All current information about Corona and COVID19 is collected on the website of the Federal Ministry of Health (BmG).
By the way, another email with the same malicious function is currently on the way in the form of a fake application letter. One of the names used for the supposed application is “Claudia Alick”.
The fact that criminals use the pandemic as a lever for their activities is not new: at the beginning of the pandemic, fraudsters ensured that the disbursement of financial aid to companies at risk was temporarily suspended.
Malicious functions of the script loader “Buer”
According to current knowledge, the mail attachment contains a JScript loader called "Buer" - which in turn downloads further malware from the Internet. This is NuclearBot – a banking Trojan that is targeting, among other things, the passwords of bank accounts.
More on this in the blog at GData.de