Coronavirus, COVID-19 or SARS–CoV–
A majority of attacks in recent times have been related to an ongoing campaign called COVID-19. This is the pandemic the digital world is dealing with. The recent wave of attacks under this campaign has included spam impersonating the Centers for Disease Control Prevention (CDC) and World Health Organization (WHO). While some ransomware operators have backed out from targeting health-related industries, several attacks have still been observed on the critical functioning COVID-19 testing centers in various parts of Europe.
Attacks under the umbrella of COVID-19 Campaign
- Apt36(also known as Transparent Tribe, ProjectM, Mythic Leopard, TEMP.Lapis), a state sponsored threat actor has been distributing Crimson Remote Administration Tool (RAT) via malicious documents disguised as health advisories sent by Indian government officials. Attackers have stolen credentials from victim’s browsers, captured screenshots, collected information about running processes, directories and drives from the target systems.
- Several other state sponsored APTs have ben related to this campaign.
Chinese APTs: Mustang Panda and Vicious Panda
North Korean APT: Kimsuky
Russian APTs: Hades and TA542
- TrickBot Trojan was distributed in Italy using malicious Word documents. Once installed on a target, the Trojan steals confidential information and spreads laterally in the network. TrickBot eventually launches PowerShell Empire or Cobalt Strike and provides access to Ryuk ransomware operators for further infection.
- Many new malwares have been named CoronaVirus itself. CoronaVirus ransomware has been distributed along with the Kpot information-stealing Trojan through fake websites highlighting a legitimate Windows system utility named WiseCleaner. Another CoronaVirus malware locked out users on Windows Systems.
- A malware downloader named GuLoader was distributed in a ZIP file attachment with emails. GuLoader in turn downloads an information-stealing Trojan named FormBook which possesses a functionality of keylogging and steals banking credentials, web site login credentials, cookies, etc.
- Raccoon information stealer has been distributed using open redirects under the website of the U.S. Department of Health & Human Services. These redirect victims to phishing landing pages and download the malware on targets.
- Netwalker Ransomware infections have become prevalent with the COVID-19 campaign delivered as malicious attachments with emails.
- Redline information-stealing Trojan has been distributed through emails urging users to download Folding@home application but delivering the malware instead. This malware can steal saved login credentials, credit cards, cookies, and autocomplete fields from browsers.
- A few cyber-attacks have hijacked and changed router’s DNS settings to display alerts for a fake COVID-19 information app from the World Health Organization and deliver the Oski information-stealing malware. These kinds of attacks could be used to steal money from bank accounts, perform identity theft, or launch further spear phishing attacks.
- Zeus Sphinx banking Trojan has resurfaced after three years to steal banking credentials from users under the COVID-19 spear phishing campaign.
- Another wave of attacks delivered the LokiBot Trojan using similar spear phishing lures.
A careful analysis of each of the attacks reveals that the main attack vector used in this campaign is spear phishing emails with COVID-19 themed lures.
A variety of documents including Microsoft Office files, zip files, Excel documents with embedded malicious macros, RTF documents, open redirects, PDFs, etc. are being distributed as attachments with spam emails with Coronavirus related information.
SanerNow lists the potential targets for malwares in an enterprise network (shown in the figures below). SanerNow also lists the attack vectors used by each of these malwares or cyberespionage groups, and facilities automated patching for these vulnerabilities on affected systems. The additional details such as the specific behavior of every malware or cyberespionage group helps organizations in effectively preventing security incidents.
General recommendations to prevent attacks during the COVID-19 Crisis
- Refrain from opening any emails and messages whose sender is not known.
- Avoid clicking on links and opening documents sent on instant messaging platforms or emails. It is always advised to look for information from legitimate websites instead of following links found elsewhere.
- Keep your systems up to date with the latest security patches.
- Educate your teams and other members of the organization to use security products while working remotely. Here are a few guidelines that would prove to be useful.
- Never provide sensitive information to agents trying to reach out on calls or emails. WHO and other governmental organizations never ask for sensitive data or direct donations for emergency response.
- Set strong and unique passwords wherever applicable.