There is no honor among thieves, and in particular among those thieves who are seeing a COVID-19 pandemic business opportunity in cyberspace. Despite the warnings issued by public and private organizations, themed phishing campaigns, fake Coronavirus tracking apps loaded with malware and deceptive COVID-19 websites continue to take a toll on individuals and enterprises.
Not a day seems to pass without news of some kind of threat exploiting and capitalizing on the current climate of fear and uncertainty.
With the global adoption of social distancing measures, remote working has increased exponentially since the beginning of the pandemic. Many organizations have taken advantage of this situation to implement remote access projects and deploy technologies to extend productivity beyond the traditional corporate walls more quickly than they would have without COVID-19.
In the last few months, this has meant a seismic shift to cloud applications, collaboration and conferencing tools, and mass adoption of remote access technologies (traditional VPNs or Zero Trust access).
These factors have dramatically accelerated the breaking down of the traditional corporate perimeter, leaving organizations exposed to new risks. Remote workers are now the weakest link of the enterprise and easy prey for cyber-criminals. They are more vulnerable for several reasons: firstly because of the emotional distress COVID-19 brings - concern for the current situation as well as future implications - and secondly, because, in most cases, remote working has been enforced without educating employees about the risks.
Another reason is because many of the recent remote access projects have been implemented as part of a contingency plan rather than a strategic business approach, prioritizing productivity over security, and without a thorough analysis of the implications on security and additional pressure on existing on-prem infrastructure.
As a result, it’s no surprise that cyber-criminals have quickly found easy ways to exploit the current landscape. For example, phishers have seen collaboration platforms as low-hanging fruit, and in practice any service - whether it’s Zoom, Webex or Teams - has almost immediately been impersonated in malicious phishing campaigns.
Of course, phishing is not the only threat affecting remote workers. We have seen a proliferation of malicious campaigns relying on fear or finance to lure the victims to install malware by clicking on a malicious attachment. In these cases, serving the malware from a cloud service is particularly effective with remote workers.
With traditional VPN models, organizations backhaul all the endpoint traffic to the corporate termination point. This model doesn’t fit with the nature of cloud traffic and there are non-negligible impacts on bandwidth consumption, performance and user experience (consider the example of cloud conferencing applications). This has led organizations to disable the split tunneling resulting in a loss of visibility (and security) of traffic outside of the VPN tunnel.
This shadow traffic, made of personal and unsanctioned cloud applications, poses a serious risk because it isn’t inspected and creates a gate to corporate resources.
In this context, GuLoader is particularly interesting. GuLoader is a malware downloader, first observed in late December 2019 when it was used to distribute the Parallax Remote Access Tool. Since then, it has become more and more popular, and has been used to distribute different malicious payloads, including the AgentTesla keylogger, the NanoCore RAT (both used in COVID-19 themed campaigns), as well as additional remote access tools like Netwire, and Remcos.
The interesting aspect of GuLoader is its ability to download the encrypted payload from cloud services like Google Drive or OneDrive - more proof that the cloud is as compelling for cyber-criminals as it is for businesses.
Cloud services are particularly advantageous for malicious actors, since they offer simplified hosting, are easy to manage, allow a lot to switch between different payloads and provide better evasion capabilities as they are implicitly trusted or whitelisted. Additionally, legacy web security defences, which weren’t designed to inspect cloud services, lack context i.e. is this a corporate or personal cloud service, and are unable to understand the language of APIs that drive the modern web.
GuLoader has jumped on the COVID-19 bandwagon, and is being used by threat actors in multiple malware distribution campaigns with a similar modus operandi. GuLoader is delivered to the victim via emails resembling those that come from the World Health Organization, and is disguised as an e-book that provides guidance on how to be protected during the outbreak. Once opened it downloads and executes the FormBook information stealer directly from Google Drive.
FormBook is a malware available as-a-service, and relatively easy to set up and operate - even for low-skilled criminals. Unfortunately, it is simple and very dangerous. The malware can steal multiple types of information such as keystrokes, clipboard, and authentication data from the browser session.
Unfortunately, COVID-19 is presenting criminals with an opportunity to exploit multiple evasion techniques: the emotional distress of the victim - amplified under the pandemic - the authority of a trusted international organization (directly involved in the fight against the virus), and a familiar service like Google Drive.
When implementing a remote access solution, organizations must consider educating users, and making cloud-native security a core component of the solution, and not as an optional add-on.