The whole transition towards distance learning has been making things harder for teachers all around the world. The struggle does not end there as Proofpoint researchers have recently observed a brand new targeted campaign aiming to infect teachers' computers with ransomware, according to an article by Tech Radar.
Cyber criminals 2020: New Strategy
The campaign utilizes messages where the actual attacker pretends to be a guardian or parent trying to submit an online assignment on behalf of a particular student that would reportedly be experiencing technical issues trying to submit the assignment themselves. Instead of actually attaching the given assignments, the attacker actually attaches a particular malicious document that in turn downloads a sort of custom ransomware payload.
Proofpoint researchers were able to discover an odd targeted email campaign during the start of October that utilizes certain subjects titled "Son's Assignment Upload" and other names that could be related to assignments. The email then contains a particular malicious document that is stored in a zip file.
The campaign works by trying to convince teachers to open the emails from parents asking the teacher to accept their children's assignments through email. Proofpoint then stated that the email addresses could have been obtained from certain public pages of the school's website.
The loosely available information makes it easier for cybercriminals
Since the information is publicly available, cybercriminals make use of this information by using the given email addresses as a target list. The loosely posted information makes it easier for cybercriminals to contact their potential victims and send the ransomware.
Although the use of ransomware is quite a typical problem that has been existing in cyberspace for quite a while, the targeting of teachers is something quite recently discovered.
How does the malware work?
The malware then works by using external relationships otherwise known as Remote Template injection in order to download just malware executables if the particular user currently has macros enabled.
The known malware executables are actually hosted on a particular free code hosting service known as notabug[.]org and the known macro uses a particular free web bug service known as the Canarytokens which actually notifies the attacker whether the malware downloaded executable was either started successfully or not.
The known malware was found by Proofpoint researchers
Although Proofpoint did not do a deep analysis of the known malware, it still appears to be a particularly custom and also relatively simple ransomware written in a standard programming language that is known as "cryptme." The firm's own research then provided certain insights on the known ransomware campaign in its own blog post.
Although there has been no definitive action being made towards the cybercriminal "fake parents," the teachers are being told to be extra vigilant when it comes to protect their computers from certain unwanted cyberattacks from criminals making use of the pandemic in order to pry on those practicing distance learning.
This article is owned by Tech Times
Written by Urian Buenconsejo