The COVID-19 pandemic has aroused great interest among users, workers and companies. This interest stems from both the disease itself and many other related issues that go beyond public health: from the confinement that many people are living through, the cessation of activities in many countries, and even the economic consequences. This is why Google Trends data shows that searches for coronavirus around the world have multiplied exponentially, reaching peak popularity (100) on March 15.
This enormous interest has been exploited by cyberattackers; many of them are using the pandemic as bait in social engineering campaigns, trying to trick employees and users. This is reflected in the report by Cytomic Cyberattacks exploiting COVID-19 , based on the analysis of hundreds of malware detections carried out by our laboratory between March 12 and 25. The study has broken down several kinds of campaigns.
Latest attacks detected_
Phishing attacks that use COVID-19 are still on the up. Cybercriminals are creating sophisticated websites specifically for this purpose, or else use SMS messages supposedly containing information about financial support being provided by the government; the latest updates about the virus, imitating organizations such as the World Health Organization (WHO); or simply asking the recipient to donate to fundraising campaigns to help in the fight against COVID19.
We have detected SMS messages posing as the Spanish Public Employment Service (SEPE), supposedly informing the recipient that their furlough payment has been approved, and requesting bank details. There have also been campaigns imitating Social Security, taking advantage of the fact that many people’s work situation is highly unstable at the moment. The messages claim that the victim is entitled to a rebate, and redirect them to a fake page, where, if they enter their bank details, this information will be stolen.
If you have received an SMS or email of this nature, and have clicked on a link and entered your personal and bank details, get in touch with your bank as soon as possible to inform them of what has happened.
Over the last two months, the group APT41 has been trying to exploit vulnerabilities in applications and devices developed by companies specialized in B2B technology solutions, such as Cisco, Citrix, and Zoho. The reason for this increased activity is the exponential growth in remote work brought about in many companies due to the COVID-19 pandemic.
There is also a growing number of applications that contain malicious software hidden inside. These applications claim, for example, to contain information about where to buy healthcare material, or pose as supermarkets offering discount coupons. Another very common example is to hide malware inside applications that claim to track coronavirus cases worldwide in real time. As the days go by, these attacks are becoming more sophisticated, and several fake versions of legitimate COVID-19 applications developed by public or private entities have been spotted, containing malicious code.
Spam related to Coronavirus_
The team of analysts has examined email messages from around the world. Many of them refer to official organizations and appear to contain updates and recommendations related to the disease. But as most of these attacks use email as an attack vector, they also include malicious attachments. In this sense, Cytomic laboratories have observed that they tend to contain a dropper that downloads a binary in the system location: \Users\user\AppData\Local\Temp\qeSw.exe using the hash 258ED03A6E4D9012F8102C635A5E3DCD. Noteworthy subjects in these spam campaigns include:
- “Latest coronavirus Updates”: This campaign was detected in the United Kingdom. The email comes with an attachment in .dat format that claims to contain the latest updates about COVID-19. This file contains malware
- “Coronavirus: important information on precautions”: in this case, it targets users in Italy, a country that has been hit hard by this pandemic. Both the subject and body of the email include the text “Coronavirus: important information about precautions”. In the body of the email, the sender claims that the attachment is a document prepared by the World Health Organization (WHO), and strongly recommends that readers download the compromised Microsoft Word attachment. The malicious file contains a Trojan.
- “Exclusive: Coronavirus Vaccine Detected”: this campaign, seen in Portugal, provides a link to more information about the alleged vaccine. The link actually contains malware.
Malicious domains related to Coronavirus_
In the Cytomic laboratory, we have also detected a notable increase in domain names that use the word “corona”, and that are combined with words that users often sue in their organic searches, such as “vaccine” or “emergency”. We present a larger sample in our report, but noteworthy examples include:
- acccorona [.] com
- alphacoronavirusvaccine [.] com
- anticoronaproducts [.] com
- beatingcorona [.] com
- beatingcoronavirus [.] com
- byebyecoronavirus [.] com
- cdc-coronavirus [.] com
- contra-coronavirus [.] com
- corona-crisis [.] com
- corona-emergencia [.] com
- coronadetection [.] com
Prevention and advanced solutions_
In the aforementioned report, we describe in more detail the nature of these cyberattacks, and provide more details for the cybersecurity community, such as their Indicators of Compromise. But in any case, the main line of defense against these cyberattacks is always prevention, starting with making employees more aware of risks. This is why it is important for employees to follow general rules such as:
- Do not open attachments from unknown senders.
- Do not connect USB storage devices that may be unsafe.
- Periodically change your passwords.
- Update the system and third-party applications used by the organization.
While bearing these practices in mind, organizations must also take special cybersecurity precautions if they have enabled teleworking policies, as we explained in a previous blog post.
Finally, it is also advisable to have advanced endpoint solutions that allow you to stop cyberattacks that use both known and unknown malware, which may use COVID-19 as a lure. In this sense, Cytomic clients have available to them the managed Zero-Trust Application service, which classifies all binaries before they can run, and blocks all malicious executables. This services enables a highly efficient and unmanned mechanism for detecting and blocking malware and ransomware, even before it has a chance to run, regardless of whether it is a new variant or new download domains, as is the case of COVID-19 malware variants.
What’s more, Cytomic’s endpoint technologies for detecting Indicators of Attack (IoAs) by behavior and context detect and block unusual behaviors on protected devices, such as downloading a Word document from an executable, or accessing an unknown or malicious URL, immediately blocking the compromise attempt, denying execution and connection.