Following the latest developments of the emergence of the novel coronavirus disease 2019 (COVID-19) which has brought disruptive changes in our daily lives and chaos throughout the three-sector economic model – primary (raw materials), secondary (manufacturing), tertiary (services), unfortunately we are observing an increasing risk on cybersecurity threats related to COVID-19.
In particular, Obrela Security Industries (OSI) observed an extensive list of newly registered COVID-19-related domains and a surge of highly sophisticated, crafted COVID-19 themed phishing emails. Bad actors are using these techniques and are trying to lure victims into reacting on these phishing emails by promising that email attachments and links contain information about COVID-19.
Malicious entities in their effort to increase their credibility, will often impersonate trusted and reputable organizations, such as the World Health Organization, in order to get users to open attachments or click on malicious links.
Existing phishing campaigns which are capitalizing on the coronavirus panic, can serve as template and adjusted accordingly in order to target specific groups (countries, industries, individuals).
The number of newly registered domains related to coronavirus has increased since the outbreak of the virus. This is a clear indication that cybercriminals are setting up their infrastructure to support malicious activities.
Below are some tips that can help you defend against the above real-world cyber-attacks and reduce the risk of infection via botnet spam:
OSI detected that an increasing number of actors and malware are employing the above-mentioned techniques. An indicative list of active campaigns can be found below:
Targets coronavirus outbreak and fears in Italy. Specially crafted spam email, written in Italian, and targeting Italian e-mail addresses. The e-mail contains a Word document purported to be a list of precautions measures. But the reality is that the enclosed file is a weaponized Microsoft Word document which contains a Visual Basic for Applications (VBA) script that carries a dropper used to deliver a new Trickbot variant.
Emotet is an advanced, self-propagating Trojan. It was originally targeting organizations and companies in the banking and finance sector. Nowadays, the Emotet malicious malware is spreading via coronavirus-themed spam emails. There were identified cases of spam campaigns targeting users in Japan that employ the coronavirus scare as a lure to trigger people to open malicious emails. The text content of the phishing email is written in Japanese and the e-mail contains Microsoft Office files which are weaponized with macros that, when run, would deliver a variant of the Emotet Trojan.
It is a coronavirus-themed email attack which is targeting the shipping industry by leveraging the concerns and fears over COVID-19 and its impact on global shipping industry. AZORult is an information-stealing trojan which exfiltrates sensitive data from a compromised system and can steal browsing history, cookies, ID/passwords, cryptocurrency and more. In addition, there is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections. The malicious e-mail contains a weaponized Microsoft Word document which exploits the CVE-2017-11882 vulnerability. Once the attachment is opened the AZORult trojan is installed on the compromised system. According to our research, the malicious emails are originating from groups in Russia and Eastern Europe.
7e71eda28ecca392d6e86a9004c3bd38c7cbdf79399e90742feac5fa066aba66 a6abe3b046e8bdcfb33fa9776195fbb89a3e4218f6bb281aedd15f28fe1f4818 bad303ab4b68379128469e3be92d5bf3b23ec7bb285a260b1fadeead3fe43bbf bc55f494359805cc4d89f6812c3a1a14d593d9ead82267dcae7029dcbddebcab be2201940b246ae89cae4f6d0a691a1092289868230f1da85f9142d180709744
In addition to the above technique to spread the AZORult trojan, security researchers have identified and reported that malicious actors have developed an alternative technique in order to successfully spread and deliver the AZORult trojan – a weaponized coronavirus map similar to the original Johns Hopkins University coronavirus map.
Coronavirus-themed malicious spam campaign, targeting users in China. The malicious spam campaign claimed to be from the Ministry of Health of the People’s Republic of China. The phishing e-mail contains a malicious .arj file (Windows RAR archive file), purported to be a list of precautions measures. Once the victim opens the attachment, it results in a Lokibot trojan infection. Lokibot has keylogging capabilities for stealing sensitive personal information.
It is an advanced RAT malware that has keylogging capabilities for stealing email credentials and passwords from browsers. The threat actors have impersonated the World Health Organization (WHO) and have sent out malicious email messages using the subject line “Attention: List Of Companies Affected With Coronavirus March 02, 2020.” that contained a malicious attachment that dropped the Agent Tesla Keylogger. The phishing e-mail contains a malicious attachment which is labeled as “SAFETY PRECAUTIONS” and has a .exe extension. The icon of the executable is a Microsoft Office Excel file, and intends to trick the end user into believing that the attachment is indeed an Excel document.