Posted March 25, 2020
Coronavirus Disease 2019, also known as COVID-19, has been officially classified as a global pandemic by the World Healthcare Organization (WHO). There is widespread concern surrounding the spread of the disease, and citizens worldwide are looking to the WHO, the Centers for Disease Control and Prevention (CDC), and their governments to provide them with updates and developments on COVID-19. In light of the global scale of COVID-19, cyber criminals have been able to take advantage of the fear and uncertainty to deploy scams and attacks against unsuspecting targets worldwide. Recently, the Cybersecurity and Infrastructure Agency (CISA) released an alert on threat actors utilizing COVID-19-themed phishing emails to serve malware and phish landing pages. Since the release of CISA’s alert, security researchers have discovered ransomware strains, activity on the dark web, and misinformation campaigns taking advantage of the concern and fear over COVID-19. While this is not an innovative tactic, it does demonstrate how threat actors will attempt to exploit a global health crisis to distribute harmful attacks against victims.
Phishing Emails and Malware
Due to the worldwide effect of COVID-19, threat actors can anticipate having a larger pool of victims fall for appealing lures that use a COVID-19 theme. Since January 2020, government and health officials have warned the public about COVID-19 and provided recommendations to prevent the spread of the virus. Threat actors have taken advantage of memos and alerts published by the WHO and the CDC, using them as templates to craft official-looking phishing emails containing hostile links and malicious files for victims to open.
These phishing lures range from links claiming to provide tips on virus prevention to alerts on new infection rates in specific geographic regions. In January 2020, Emotet threat actors distributed a Japanese-language COVID-19 phishing lure that urged recipients to view an attached document that purported to contain information on Coronavirus infections in Japan. Emotet threat actors have been known to exploit current events and holidays to leverage sophisticated phishing attacks against unsuspecting victims. In December 2019, Emotet operators distributed holiday-themed phish using a Greta Thunberg lure when the Swedish climate activist became the 2019 Time Person of the Year. Other malware operators have followed Emotet’s lead, deploying banking trojans, information stealers, and remote access trojans in COVID-19 phishing campaigns. These campaigns illustrate how threat actors can take advantage of current events to distribute large-scale campaigns to their targets.
To decrease the spread of COVID-19 and promote social distancing, some organizations, businesses, and educational institutions have shut down or migrated to remote operations for the foreseeable future. As organizations mandate a “work from home” policy, threat actors could deploy phishing emails targeting businesses, utilizing lures pertaining to remote employment due to COVID-19 by falsely impersonating Human Resource professionals or executive leadership. Social engineering techniques can be incorporated into COVID-19 lures to further trick unsuspecting targets to fall for these scams and attacks.
On March 12, 2020, security researchers discovered a Coronavirus-themed ransomware. This sample was discovered in a campaign utilizing a website impersonating the “WiseCleaner” Windows system utility to distribute a downloader executable to deliver the ransomware, along with the Kpot information stealer. While the information stealer was used to exfiltrate cookies and login information from the machine, the ransomware encrypted all files on the machine before presenting the victim with a ransom note. Each file on the machine was renamed to the threat actor’s email address, which would be used for victims to communicate with the actors to discuss ransom payment, followed by the file’s original extension. Figure 1 displays the ransom note analyzed by security researchers at MalwareHunterTeam. Not only is the ransom amount listed as 0.008 BTC, but the ransom note includes a political statement about donations for the United States’ presidential election. The final line in the note is a quote in Latin that translates to “abandon hope, ye who enter here.”
Figure 1: Coronavirus-themed ransomware note obtained and analyzed by MalwareHunterTeam.
On March 13, 2020, security researchers discovered a Coronavirus-themed mobile phone ransomware targeting Android phones. Dubbed CovidLock and formerly hosted on the site coronavirusapp[.]site, the ransomware was discovered through a malicious phone application that allegedly tracked cases of COVID-19 and claimed to provide metrics on virus infections. However, the application would lock the device and demand a ransom to restore access to the phone. The ransomware threatened victims to pay $100 in Bitcoin within a 48-hour deadline or else the program would erase all content on the phone, functioning as a wiper ransomware. While a password key has been retrieved to help victims restore their devices, this example further emphasizes how threat actors are taking advantage of a global health crisis to distribute hostile attacks against vulnerable targets.
In a turn of events, some ransomware operators have declared a ceasefire on targeting healthcare organizations during the pandemic. BleepingComputer contacted the operators of six ransomware families inquiring if they would continue targeting healthcare facilities and organizations during the Coronavirus outbreak. Out of the six families, the operators of Maze and DoppelPaymer ransomware claimed they would refrain from targeting healthcare organizations. Maze ransomware operators released a “press statement” on stopping activity on medical organizations until the situation stabilizes, Figure 2.
Figure 2: Maze team’s official press release on medical activity suspension obtained by LookingGlass Research.
Dark Web Activity
As one set of threat actors actively distributes phishing scams and launches attacks against their victims, another set are developing customized phishing pages, kits, and hostile resources utilizing a Coronavirus theme to be sold to cyber criminals. LookingGlass researchers have observed an instance of this on the dark web; an actor started a thread on a top-tier Russian-speaking marketplace forum for the sale of a “Coronavirus Phishing Method.” Figure 3 is a screenshot of the actor selling an application that supposedly renders an interactive map of patients infected with COVID-19 using real-time data from WHO and other sources. The seller claims that this phishing method allows threat actors to send a payload “preloader” disguised as a map that can be sent as a file attachment using any mail service and that it is capable of infecting 10,000 victims daily. This example on the dark web showcases how cyber criminals will capitalize on using COVID-19-themed lures to sell on dark web marketplaces. Part of the appeal of monetizing software such as this is that the potential pool of target will be numerous due to this theme.
Figure 3: Advertisement on Dark Web forum selling “Corona Virus Phishing Method”.
Figure 4 displays a screenshot of the interactive map referenced in dark web marketplace advertisement for the Coronavirus Phishing Method shown in Figure 2. The sale post is written in both Russian and English in an effort to engage a wider group of potential buyers to purchase the tool.
Figure 4: Interactive map sold by an actor on the Dark Web
A high volume of Coronavirus-themed domain names have been created since early March 2020. At the time of this writing, LookingGlass observed over 3,500 variations of domain names and host names utilizing a Coronavirus or COVID-19 theme; we anticipate the volume of Coronavirus-themed domains will increase significantly. While it is possible that some of these domains are intended to be used to distribute crucial information on the virus from news organizations or healthcare professionals, there is also the likelihood that these domain names might be used by cyber criminals to create phish landing pages, establish payload locations for the distribution of malware, spread misinformation about COVID-19 updates and testing, or for other nefarious purposes. Figure 4 is an example of a scam website advertising the sale of a COVID-19 test. A WHOIS lookup on the domain name, coronavirus[-]testing[.]com, reveals the domain was created on March 7, 2020.
Figure 4: Coronavirus-themed scam advertising a COVID-19 test.
It is critical for individuals to stay vigilant and understand how to recognize suspicious emails and activity. As the world receives more updates about COVID-19 developments, we can expect cyber criminals to attempt to leverage attacks against individuals utilizing COVID-19 campaigns. LookingGlass provides the following recommendations to help individuals stay secure during this global health crisis:
- Only interact with emails from known senders. Check the link of an embedded URL by hovering the cursor over the link. Use caution when interacting with email attachments.
- Be wary of third-party sources spreading information about COVID-19. Refer to official healthcare organizations or government websites for updates on COVID-19.
- Report suspicious emails and computer activity to the appropriate department or party for further investigation.
- Stay up-to-date with current events in cyber security pertaining to COVID-19 for situational awareness.
Additional resources on phishing scams and attacks are listed below:
Federal Trade Commission
- hXXps://www [.]consumer[.]ftc [.]gov/blog/2020/02/coronavirus-scammers-follow-headlines
- hXXps://news [.]un[.]org/en/story/2020/02/1058381
LookingGlass offers a portfolio of products and services that can help organizations protect their business, employees, and customers from cyber threats. Contact us for more information.