COVID-19 Exploitation in Cyberspace

Overview

The year 2020 has not been a great start for the world and the pandemic novel virus shares much of the blame. It seems just like yesterday when coronavirus was traced from a fish market at Wuhan in January 2020 and led to the city’s lockdown. Gradually, this virus imprinted its roots all over the globe and shortly all countries had to submit before it.

This virus has impacted our daily lives, the global economy, and challenged our everyday practices. From changing how people interact daily to shifting work from office to home, coronavirus has urged us to prioritize safety in every walk of life. With the measures taken to work and interact online, there is an immediate concern demanding attention during this crucial time; cybersecurity. It is a fact that cyberattacks target the increased reliance on digital tools, and with the current situation across the globe, they avail the opportunity more than ever before.

_

Attacks & Malicious Campaigns Leverage COVID-19

• The Koadic RAT is being distributed by a multistage downloader via a malspam campaign using the subject CORONAVIRUS TRAVEL RECOMMENDATIONS. The threat actor spoofs an email address from the World Health Organization and distributes the RAT in the guise of corona safety guidelines from WHO.
• North Korean APT group Kimsuky is targeting victims with a COVID themed malicious document named “COVID-19 and North Korea”.
• APT36 is found distributing the Crimson RAT via a malspam disguised as a Corona health advisory and exploits a vulnerability CVE-2017-0199.
• Other malspam campaigns have been observed capitalizing on the pandemic with common lures like ‘corona vaccine’, ‘cure for the virus’, etc.
• HawkEye Keylogger is being distributed in a malspam using the lure of COVID19 Advice from World Health Organization.
• A malicious document named ‘Advisory Novel Corona Virus-Document.rtf’ was found distributing a keylogger for stealing information and credentials.
• APT27 is using a .lnk file, disguised as a PDF, and distributed via malspam, to deploy the PlugX malware. Its payload executes malicious commands to gain unauthorized remote access.
• To distribute the BlackNet remote administration tool, scammers are trying to make victims install antivirus that claims to protect against the actual COVID-19 virus infecting people across the world.
• Researchers found HTTP transactions & affected URLs with Malware C2 Infrastructure that were used to distribute malware via corona related campaigns.
• BlackWater Malware is abusing Cloudflare Workers for C2 communication using a rar file named “Important – COVID-19.rar”.
• CovidLock android ransomware locks victims out of their phones, luring them with a coronavirus tracker that would alert them when a corona-positive patient is in proximity.
• Azorult is being used to target people who are looking for cartographic presentations of the spread of COVID-19 on the Internet. It tricks them to download and run a malicious application that, on its front-end, shows a map loaded from a legit online source but in the background compromises the computer.
• A ransomware called CoronaVirus is acting as a cover for Kpot Infostealer and is being pushed through a fake web site. The campaign is designed to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan.
• Another Corona related campaign exploits the CVE-2017-11882 vulnerability in Microsoft Office.
• Iran’s national covid-19 “detection” app was recently removed from Google Play store for tracking the real time locations, phone numbers and other personal details of users.
• Remcos RAT is being distributed by threat actors who are taking advantage of the ongoing COVID-19 global outbreak to deploy malware payloads on their targets’ computers via malicious files that promise to provide Coronavirus safety measures.
• Another email campaign distributes the FormBook information stealing Trojan targeting users’ Coronavirus fear.
• A new wave of Hancitor malspam is found using a coronavirus theme, with malicious attachments that look like Coronavirus insurance documents, to download ransomware and information stealers.
• WP-VCD malware exploits WordPress plugins, allowing for backdoor access to vulnerable websites. The distribution is that of a COVID-19 Coronavirus Live Map in a zip file, which in reality is a pirated version of a legitimate, commercially available plugin.
• RedLine stealer is distributed via a malspam campaign that calls people for help against the corona virus, using the subject ‘Please help us with fighting corona-virus’.
• The Zeus Sphinx Trojan with its ‘Covid-19 relief’ targets financial institutions across continents.

_

Phishing Emails

Multiple sophisticated phishing email campaigns have been reported since Corona’s outbreak, which are designed to lure people into clicking and opening malicious attachments. These Malicious campaigns are a global cybersecurity concern, deploying heinous malware and ransomware on target machines. Successful phishing attacks can lead to damage to an organization’s integrity, confidentiality and availability, as they are aimed at information theft, data exfiltration and financial frauds.

With the word “covid” or “corona,” about 20,387 unique subject lines were observed in the past week that originated from 14,232 unique email sending domains and 20,337 unique SMTP IP addresses.

Reportedly, about 1,558 emails sent malicious executable files for windows with the following top subject lines:

• “RE: Coronavirus disease (COVID-19) outbreak prevention and cure update.” (755 emails)
• “COVID-19 Supplier Notice.” (704 emails)
• “Today’s Update on COVID-19.” (91 emails)

Moreover, these emails were generated globally, from many countries, as the stats below reveal:

_

Social Engineering

Considering the global alarming situation, cyber attackers also decided to fuse social engineering into their attempts. With the growing people concerns, hackers hit right on the nail by floating phishing emails. More than 100,000 phishing emails have been detected in the past week alone, most of which use the following subject lines:

• “Get Your Household Ready for Coronavirus disease (COVID-19.” (3,743 emails)
• “Join the fight against Coronavirus.” (14,974 emails)
• “Coronavirus disease (COVID-19) advice for the public.” (2,107 emails)
• “COVID-19 virus can be transmitted in areas with hot and humid climates.” (1,911 emails)
• “Reminder redacted@threatwave.com Coronavirus: Travel advice.” (1,837 emails)

The scarcity of N95 respirator masks helped these attackers to urge recipients’ response with the following subject lines:

• “The Mask that can prevent Coronavirus now.” (20,937 emails)
• “Coronavirus is spreading, this specialized mask can control it.” (10,315 emails)
• “CORONAVIRUS ALERT: FREE Breathing Masks For USA.” (5,891 emails)
• “✅ Corona Virus Reusable Protective Mask for Adult and Kids.” (2,050 emails)

Pushing the phishing scheme further, hackers also distributed emails which people desperate for some good news are likely to click:

• “Coronavirus Is gone…” (1,052 emails)
• “Breaking!!! COVID-19 Solution Announced by WHO At Last As a total control method is discovered.” (1,048 emails)

_

Scam Domains and Hosts

There are thousands of new coronavirus themed domains exploding amidst the pandemic. Approximately, 17,774 newly created domains and 18,667 hosts registered in the past week contain COVID-19, COVID19, or coronavirus in their names.

Some of these domains are legitimate, but most of these are used for online financial fraud, distribution of malware-laced files, and to host phishing attacks.

Some of the blacklisted domains are listed below:

• hxxps://covid-19-business-continuity-epic-uk-limited[.]azurewebsites[.]net/corona_virus_2020/
• hxxps://raymondne[.]buzz/covid-19precautions/toda/office.php
• hxxp://coronavirus2020covid-19[.]000webhostapp[.]com/
• hxxp://coronavirustest[.]ru/
• hxxps://covid-19[.]style/
• hxxps://footytube[.]top/admin/covid-19/office365/office365/office365/office365/office365/office365/office365/99deac8eaceb2aebe3b9cbecf26e98d7/zhgvnftl319coe8qzzzkvjnc.php
• hxxp://covid-19[.]bdtime[.]news/
• hxxps://ayyappantat[.]com/img/view/covid-19/index.php
• hxxps://starilionpla[.]website/do/covid-19/index.php?l=_jehfuq_vjoxk0qwhtogydw_product-userid
• hxxps://verizoncovid-19[.]com/
• hxxps://urschel-mosaic[.]com/covid-19/onedriv

_

Corona-related Mobile Apps

While organizations need to safeguard their digital equipment from cyber-attacks originated from fake domains and hosts, mobile apps are also being leveraged by cyber criminals to steal sensitive data and compromise their target’s confidentiality. With the on-going remote work fiasco, mobile phones are a critical asset for key communications between officials of an organization and need to be safeguarded with equal vigilance. Below are the stats for Corona-related mobile apps launched in the past week. While some of these may be legitimate, most of these apps leverage the hot topic to feed the attackers’ malicious intention of capitalizing upon the virus.

_

Endnote

As coronavirus is rapidly making its way around the globe, the world is becoming more and more entranced with the subject. This provides cyber attackers with potential opportunities to compromise devices and sensitive data by tricking users into downloading malware.

In such a scenario, the following preventive measures must be abided by:

• Do not click on random links without verifying their authenticity.
• Use a reliable VPN for internet access.
• Before entering your password, verify that the website URL is accurate.
• Download software only from trusted sources.
• Update your system regularly and patch weaknesses.
• Do not search for Corona-related information randomly on the internet.