SafeBreach Labs has updated the Hacker’s Playbook™ with new simulations for IOCs described in US-CERT Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails (AA20-225A).

This alert addresses a new phishing campaign that targets users for loan relief of COVID-19 from the U.S. Small Business Administration. The malicious emails contain a link to a spoofed website, presenting a fake login page for SBA’s Economic Disaster Loan Portal, for the purpose to steal credentials.

SafeBreach Labs has updated the Hacker’s PlaybookTM to ensure these malicious emails are blocked and outbound C2 communication is prevented.

Newly developed playbook methods related to AA20-225A:

• #5381 – Email a link to hxxps://leanproconsulting.com.br/gov/covid19relief/sba.gov
• #5382 – Communication with AA20-225A using HTTP

The new attack methods for US-CERT AA20-225A are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. The Known Attack Series report is being updated so you can run just the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT Alert AA20-225A (SBA Covid-19) report and there is an option to Run Simulations that will run all the attack methods.