In recent weeks, we have witnessed cybercriminals trying to cash in on global fears about the novel coronavirus. Analysts across various intelligence vendors have observed that cybercriminals are taking advantage of the outbreak.
As many individuals search for the latest online information about COVID19, a variety of TTPs have been enabled by the virus, mostly in the form of phishing and other social engineering attacks.
Blueliv analysts have also observed a spike in crimeservers bearing “corona” or “COVID” in their URLs since the start of the outbreak. Of those crimeservers, over 80% of them are dedicated to phishing.
This blog post provides a brief summary of some observations, in addition to comment from our own analysts. Since this is a global outbreak, it is highly likely that many social engineering attacks are in multiple languages including Mandarin, Korean, Farsi and Russian-based script, in addition to those that use the Latin alphabet.
A fraudulent campaign claiming to be from the World Health Organization has been observed, taking victims to a site which requested email login credentials. The fraudulent domain actually embedded the real WHO website in a frame on the page, making it seem legitimate, and when the victim accessed the site, a pop up webform appeared.
Additional spam activity targeted users in an Italian language campaign, referencing known real-world infections in the afflicted nation. The mail contained a malicious attachment containing macros, which dropped Trickbot when enabled. Trickbot was originally only a banking Trojan, but now can also be used to gain a foothold in the victim’s system to deploy other malware such as Ryuk ransomware later down the line.
Phishing attacks dropping Emotet, AZORult, AgentTesla
A coronavirus spam campaign targeting Japanese users was observed distributing Emotet, an advanced, self-propagating modular malware. The spam campaign encourages victims to open a malicious email attachment containing the malware, and purports to be from a Japanese disability welfare provider. Blueliv tracks Emotet activity using our sandbox and SMTP honeypots, gathering and analyzing malspam sent by Emotet botnets. Emotet also started out as a banking Trojan and now is a customizable modular package used to deploy additional payloads and other malware families.
Word documents exploiting known vulnerabilities and dropping AZORult have also been seen. According to some analysts, the threat actors appear to be from Eastern Europe and are not part of broader APT groups. A significant amount of this intelligence is accessible through Threat Context.
Other malicious activity
Cybercriminals have also explored other creative methods of capitalizing on coronavirus concerns. On February 20, 2020, a threat actor operating under the alias “FalosofTanos” authored an advertisement on a top-tier Russian-language cybercrime forum marketing what they dubbed a ‘new coronavirus phishing method.’ For $200 USD – or $700 USD if the client elected to use the threat actor’s code signing certificate – interested clients could purchase a “payload preloader” masquerading as a legitimate map of coronavirus information from Johns Hopkins University.
Screenshot of the malicious program that displays coronavirus information while infecting victims with malware.
Blueliv analysts believe that the program is likely geared towards use in malicious email campaigns that distribute various malware families. According to the author, upon downloading the map, the program surreptitiously loads a .jar loader; it is this loader which contains the payload selected by the cybercriminal distributing it.
Some researchers have observed this program being used to drop an AZORult variant. AZORult has several capabilities, including as an information stealer, which we describe at length in our report into the Credential Theft Ecosystem.
Conclusions and mitigation
As we can see, many of these attacks rely on social engineering techniques – the weakest link in the chain is consistently the human element. Education, therefore, is of utmost importance.
Liv Rowley, threat intelligence analyst at Blueliv, commented on these attacks, “any unsolicited advice or unexpected email attachments should always be treated with suspicion, and users should double-check that mail is from a trusted sender. Remember that the sender’s name is not a reliable source, but rather the email address itself. There have been attacks through emails purporting to be from HR departments and organizations such as the WHO that use this specific social engineering technique.”
As many workers are instructed by their employers to work remotely rather than go into the office, other risks may become more apparent. Employees may become more vulnerable to phishing attacks, for example, as their hunger for information about COVID-19 makes them forget best practices. Additionally, the lack of VPNs, particularly among smaller businesses, could lead to workers making themselves more vulnerable than necessary as they leave their secure office networks.
General cyber-hygiene is extremely important, but particularly during a period where the novel Coronavirus is affecting many of us. From a personal hygiene perspective, please follow the guidance of your local authorities.