Over the past few weeks we have been witnessing an increased amount of malicious attempts as many threat actors have started to abuse the panic and discomfort of the COVID-19 pandemic to conduct specially crafted cyber attacks. Particularly, our SOCs have seen a significant spike in activity on Brute-Force attacks (authentication issues), attempts for exploits (viruses) and increased access to malicious / suspicious IPs / URLs. We have also been monitoring a few forum sites on the dark web to understand whether discussions of COVID-19 are as popular there as they are on the clear web and what exactly cyber criminals are discussing about COVID-19. An interesting element that we found is a thread on encouraging users to do more 'carding' due to COVID-19. Their explanation? Due to COVID-19, cardholders are loading more money onto their bank accounts so that means that this a good period to do more carding.
Others are simply just reassuring their clients that they're 'still delivering despite COVID-19' or that they 'have limited delivery options due to COVID-19'. There are also numerous 'sale offers' due to COVID-19. Needless to say, cyber criminals are readjusting their business models too.
Here is a lost of the most notable COVID19-themed malicious campaigns:
Email is the largest threat vector of attack so it comes as no surprise that cybercriminals are launching phishing campaigns related to COVID19. Many of the emails, purportedly from official organisations, contain updates and recommendations connected to COVID19. Like most email spam attacks, they also include malicious attachments.
Example 1: Spear- Phishing Campaign
This phishing attack which was carried out earlier this month, an attacker launched a spear-phishing campaign which lasted less than 30 minutes.
The attackers created an email designed to look like a legitimate supply chain risk report for food colouring additives with an update based on disruptions due to coronavirus. The attachment, however, was malicious and delivered a sophisticated, multi-layer payload based on the Lokibot trojan (Trojan:Win32/Lokibot.GJ!MTB).
attack had been successfully deployed, the hackers could have stolen credentials
for other systems which would have been used at a later stage. This attack
targeted 135 customer tenants, with a spray of 2,047 malicious messages, but no
customers were impacted by the attack.
Example 2: Targeted Italian Workplace Scam email
Another scam campaign which targeted Italian organisations was from someone pretending to be a doctor from the World Health Organisation. The email included a file that was supposed to be a document that outlined some precautionary measures for the recipient but was in fact malware. One of the main tells here is that the email did not come from a who.int email address.
Example from Proofpoint
Example 3 - General email targeting employees
continuing to target employees in the workplace, and your employees are a lot
more susceptible to these while working from home, when most communication is being
conducted over email.
A new prevalent example of Android Spyware that leverages COVID-19 as a way to deliver their malicious product has been reported by researchers at Lookout. This particular malware, called "corona live 1.1.", comes out of Libya and seems to mostly be targeting Libyan citizens. Like other examples listed below, it uses the same COVID-19 dashboard developed by Johns Hopkins University.
Malwarebytes Labs reported finding variations of an AzorUlt trojan malware embedded in some of these attachments. The AzorUlt trojan is a flexible type of malware that commonly collects important data like browser history, passwords, and session cookies from the infected computer, then sends that to a command and control server elsewhere online. From there it could download and execute more malicious code, such as ransomware. This particular type of trojan is good at staying hidden, as its core function is to collect vital data from non-persistent memory on the infected machine, then quietly deliver that to its command and control server.
Krebs On Security recently documented that some phishing campaigns use a live interactive map of COVID-19 to distribute different variations of the same AzorUlt trojan. The map and interactive dashboard were developed by Johns Hopkins University, so visually these emails could appear valid and trustworthy even to a cautious eye.
A new ransomware variant called CoronaVirus was spread through a fake Wise Cleaner site, a website that supposedly promoted system optimization, as reported by MalwareHunterTeam. Victims unknowingly download the file WSGSetup.exe from the fake site. The said file acts as a downloader for two types of malware: The CoronaVirus ransomware and password-stealing trojan named Kpot. This campaign follows the trend of recent ransomware attacks that go beyond encrypting data and steal information as well.
Another attack that is presumed to be caused by ransomware has hit a University Hospital Brno in the Czech Republic, a COVID-19 testing center. The hospital’s computer systems had been shut down due to the attack, delaying the release of COVID-19 test results.
A mobile ransomware named CovidLock comes from a malicious Android app that supposedly helps track cases of COVID-19. The ransomware locks the phones of victims, who are given 48 hours to pay US$100 in bitcoin to regain access to their phone. Threats include the deletion of data stored in the phone and the leak of social media account details.
Threat actors also launched a new phishing campaign that spreads the Netwalker ransomware, according to MalwareHunterTeam from reports on Bleeping Computer. The campaign uses an attachment named “CORONAVIRUS.COVID-19.vbs” that contains an embedded Netwalker ransomware executable.
Upon execution of the script, the EXE file will be saved to %Temp%\qeSw.exe. Launching this file will lead to the encryption of other files on the computer. Victims will then find a ransom note with instructions on how to pay the ransom via a Tor payment site.
A sextortion scheme reported by Sophos demands US$4,000 in bitcoin, or else, they threaten to infect the victim’s family with COVID-19. The victims receive emails informing them that the threat actors know all their passwords, their whereabouts, and other details relating to their personal activities. The email senders threaten to release the data if the victim doesn’t make the payment in 24 hours. There is no indication that the threat actors actually have access to the data, or if they can actually follow through with their threats.
Conclusion & Tips
It is very important to stay vigilant during this Covid-19 crisis and ensure you have the relevant steps in place to manage any potential threats. Check your organisational security policies and procedures to ensure that your systems, devices and networks have the appropriate safeguards in place.
Be sure to only use trusted information sources from government and research institution's websites. Don't click on anything in your emails that's health related. In general, be sure to follow all of the basic phishing recommendations—be aware that people are trying to capitalise on fear.
Make sure your devices have the latest security updates installed and an antivirus or anti-malware service.
Use multi-factor authentication (MFA) on all your accounts. Most online services now provide a way to use your mobile device or other methods to protect your accounts in this way.
Educate yourself, friends, and colleagues on how to recognise phishing attempts and report suspected encounters. If you are an employer, now is the time to kick off that online security awareness campaign. You may also consider running phishing simulations campaigns to test your users' current knowledge.
Our security teams at Smarttech247 are working to protect customers and we’ll share more in the coming weeks. For additional information and best practices for staying secure during these challenging times, please don't hesitate to contact our experts. There is no cost and we are here to support you.
Find out more