An 'Infodemic' Of Phishing & Malware

The dreadful coronavirus is taking the world by storm, and mankind is on the threshold of serious changes over the pandemic officially declared on March 11, 2020.    
 
Also referred to as COVID-19 or 2019 Novel Coronavirus (2019-nCoV), this strain got out of hand in China and is now running rampant across different parts of the globe. At the time of this publication, the total number of reported coronavirus cases exceeds 126,000, so it comes as no surprise that the disease instills fear in people regardless of their residence.
 
It’s common knowledge that malicious actors follow the headlines and never miss hype trains. This time, they piggyback on the “infodemic” to orchestrate massive online scams and spread malware, demonstrating once again that the margin between real and cyber worlds is a slim one. This article will give you the lowdown on cybercrime implications of the COVID-19 outbreak and methods to safeguard your digital life against the escalating e-threat.
 
Coronavirus-themed Phishing On The Rise
Malefactors are increasingly cashing in on the panic to execute social engineering scams whose goal is to wheedle out sensitive information or money. To set these hoaxes in motion, crooks send numerous emails impersonating reputable healthcare organizations and requesting sensitive credentials or a donation to fund research and treatment of those infected.
 
The most massive phishing campaigns revolving around the COVID-19 theme are as follows.
 
The “Safety measures” email fraud
While trying to stay tuned for the latest updates about the unnerving disease subject, people run the risk of being ambushed in an ongoing scam wave. Cybercrooks have been busy sending bogus emails disguised as an official advisory from the World Health Organization (WHO) since early February 2020.
 
The lure is an embedded button saying “Safety Measures,” which supposedly leads to a file listing the entirety of up-to-date coronavirus precautions. Instead of triggering the purported download, though, the button forwards the recipient to a fabricated email verification form asking for their username and password.
 
A clever trick that plays into the fraudsters’ hands is that the “Verify Your E-mail” pop-up seems to be displayed on top of the legit WHO website. However, the genuine page is actually rendered within a frame constituting the malicious landing site. Once the unsuspecting user enters and submits their credentials, this information instantly goes to the felons, and the browser is redirected to www.who.int, the real web page of the World Health Organization.
 
Fortunately, several giveaways may help a vigilant user identify the scam. First of all, the criminals don’t take proofreading seriously, and therefore, the email body is full of spelling errors and awkward typos. Secondly, the WHO page replica is an HTTP site rather than HTTPS, which is a red flag many people will notice. Despite the imperfections, this hoax is still up and running.
 
Alert from the CDC? Not really
In another move, threat actors are sending phony emails impersonating the U.S. Centers for Disease Control and Prevention (CDC). These messages claim to notify the recipients about new contamination reports in their area as part of a recently established incident management system. 
 
This way, the scammers try to hoodwink users into clicking a bait link that purportedly leads to an “updated list of new cases” around their city. The resulting page is a phishing site that harvests the targets’ sensitive credentials. Unlike the above-mentioned fake WHO advisory scam, the email looks competently tailored and may be based on real CDC press release templates. Additionally, its subject has a stronger element of pressure and urgency making it more likely that people follow the fake hyperlink and give away their personal info.
 
COVID-19 scare as a source of malware distribution 
Cybercriminals’ efforts to exploit the coronavirus theme aren’t restricted to phishing. The delivery of malware payloads is one more vector of their shenanigans. In the wake of the current crisis, users may lose vigilance and it’s easier for crooks to dupe them into opening booby-trapped email attachments or downloading malicious files from sketchy resources. Here is a summary of notorious campaigns using the panic as leverage for spreading harmful code.
 
Remcos RAT gets a propagation boost
The remote access tool (RAT) dubbed Remcos originally surfaced in August 2019. It had mostly remained on the sidelines of the cybercrime ecosystem until its operators added the coronavirus theme to their distribution repertoire.
 
In late February 2020, analysts at Cybaze-Yoroi ZLab security firm came across a Remcos RAT payload camouflaged as an executable file named CoronaVirusSafetyMeasures_pdf.exe. This object was submitted to their malware sandbox service and it’s unclear how exactly it reaches victims at this point. The researchers believe the threat most likely arrives over email.
The role of the above-mentioned file is to drop the Remcos executable onto a computer along with a VBScript item that launches the RAT. To gain a firm foothold in the host system, the infection adds the “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” registry key to make sure it is triggered at boot time.
 
When running, Remcos RAT keeps tabs on the victim’s keystrokes and saves this information to the “logs.dat” file created in “%AppData%\Local\Temp\onedriv” path. All the data amassed in the course of this reconnaissance is sent to the criminals’ Command & Control server.
 
The opportunistic spike in Emotet malware circulation
The notorious info-stealing Trojan called Emotet is at the core of a coronavirus-themed spam campaign that broke out in late January 2020. It zeroes in on Japanese users via deceptive emails warning the recipients about infection cases in different regions of the country, including the Osaka, Gifu, and Tottori prefectures.
 
According to experts at IBM X-Force Threat Intelligence who unearthed this hoax, the fake messages are masqueraded as alerts issued by local healthcare centers. The text written in Japanese says new patients were reported in the would-be victim’s area. To learn the details, the user is instructed to open the Word document attached to this email. However, this file won’t display any content until the target clicks on a prompt to enable macros. This is a well-known malware deployment trick involving a VBA macro that covertly fires up a PowerShell command to download a harmful program (Emotet in this scenario).
 
Lokibot Trojan authors jump on the bandwagon
Another infamous info-stealer known as Lokibot follows in the footsteps of Emotet, capitalizing on the 2019-nCoV scare to make the rounds on a large scale. To deposit the malicious payload onto as many computers as possible, the threat actors are sending rogue emails disguised as an emergency regulation ordinance issued by the Ministry of Health of the People’s Republic of China.
 
Interestingly, the email includes the phrase “for the safety of your industry,” which is a clue suggesting that the campaign may primarily target businesses. The recipient is instructed to unpack the RAR archive attached to the message and then open the enclosed batch file named “Emergency Regulation.” This completes the infection chain and Lokibot starts collecting the victim’s passwords along with other sensitive data. When done, it submits the stolen information to a C2 server.
 
FormBook malware operators follow suit
The FormBook info-stealer is the latest addition to the series of digital threats whose distributors don’t mind taking advantage of the COVID-19 fears. Security analysts have recently stumbled upon bogus emails claiming to provide the “latest updates on coronavirus disease outbreak” on behalf of the World Health Organization.
 
These messages include a ZIP attachment containing a malicious binary named MyHealth.exe. This object turns out to be a relatively new malware downloader known as GuLoader. When triggered, it downloads a copy of FormBook from Google Drive cloud storage. To make sure that the second-stage payload slips below the radar of antivirus software, GuLoader injects the malicious process into wininit.exe, the legit Windows application launcher. The resulting malware is capable of logging the victim’s keystrokes, stealing clipboard information, and monitoring data related to web surfing sessions.
Pharma spam skyrockets
 
Fake online drug stores are rapidly gaining momentum amidst the global healthcare crisis. To lure people into visiting dubious pharmacy sites, criminals are employing several old school techniques that work well due to the hype around the terrifying respiratory illness.
 
According to the findings of researchers at cybersecurity company Imperva, the dominant vector boils down to comment spamming. This technique engages automated bots or scripts that inject malicious links into regular user comments on various websites. These URLs lead to counterfeit online pharmacies.
 
Not only can this method encourage some site visitors to click on the shady links, but it is also an element of a clever SEO strategy. A slew of trending coronavirus-related keywords sprinkled across these web pages might make them rank higher in search results, which potentially means more leads to the bogus sites selling worthless drugs.
 
In some scenarios, the links in malicious comments point to some neutral web pages providing general medical information or a real-time map that reflects the propagation of the disease. These ostensibly benign sites end up redirecting visitors to dubious pharma businesses.
 
How to avoid COVID-19 scams
Unfortunately, cybercriminals treat the widely publicized coronavirus threat as an opportunity to steal users’ sensitive information and promote malware. Therefore, if you receive an email claiming to be from the World Health Organization (WHO) or a local healthcare institution, think twice before clicking on a link in it or opening the attached file. If the message tries to pressure you into accessing some web page or downloading a file urgently, this can be a telltale sign of a scam. 
 
Here is a round-up of the recommendations on this matter from the U.S. Federal Trade Commission (FTC):
 
● Don’t click on links from unknown sources.
● Treat emails claiming to be from the Centers for Disease Control and Prevention (CDC) with caution. To get the latest information about the coronavirus, visit the official CDC or WHO website instead.
● Don’t fall for ads offering vaccinations.
● Refrain from making donations in cash, via a wire transfer, or by gift card, especially if someone sends you an email asking for it.
● Exercise caution with questionable investment opportunities marketed on social media and through other online channels. This tip is particularly relevant if a product or service is purported to prevent or cure COVID-19.
 
As an extra layer of defense against malware distribution campaigns relying on the coronavirus panic, be sure to use reliable security software that can detect suspicious payloads and block them before they cause harm.
 
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.
 
You Might Also Read: 
 
Stay Cyber-Secure Working From Home:
 
Beware Spoofing Attacks:
 
 
 
« The US Has A New 5G Security Strategy
The Risks Of Remote Working »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IX Associates

IX Associates

IX Associates is a UK based IT Integration business specialising in risk, compliance, eDefence, and network security solutions.

Coalfire

Coalfire

Coalfire specialises in cyber risk management and compliance. Our services span the cybersecurity lifecycle from advisory and compliance, to testing and engineering, monitoring and optimization.

IntaForensics

IntaForensics

IntaForensics offer a full range of digital investigation services and are able to adapt to the individual needs of solicitors, private clients, Law Enforcement Agencies and commercial businesses.

Cyber Security National Lab (CINI)

Cyber Security National Lab (CINI)

The Cyber Security National Lab brings together Italian academic excellence in Cyber Security research.

Open Information Security Foundation (OISF)

Open Information Security Foundation (OISF)

OISF is a non-profit organization led by world-class security experts, programmers, and others dedicated to open source security technologies.

Sonda

Sonda

SONDA is the leading systems integrator and IT service provider in Latin America.

Langner

Langner

Langner is a software and consulting firm specialized in cyber security for critical infrastructure and large-scale manufacturing.

Syskode Technologies

Syskode Technologies

Sykode Technologies is a next-generation global technology company offering an integrated portfolio of advisory services, products and solutions in areas including AI, IoT and Cyber Security.

HITRUST Alliance

HITRUST Alliance

HITRUST provides widely-adopted common risk and compliance management frameworks, related assessment and assurance methodologies.

Onevinn

Onevinn

Onevinn's goal is to create a transparent, cost-effective security that is noticed as little as possible by the users. We simply call it "intelligent security."

Redsquid

Redsquid

At Redsquid we are all about making a difference to our customers with the use of technology, as an innovative provider of solutions within IoT, Cyber security, ICT, Data Connectivity & Voice.

NorthRow

NorthRow

NorthRow provides digital transformation compliance solutions to help businesses manage regulatory and financial crime risks.

HEROIC Cybersecurity

HEROIC Cybersecurity

HEROIC’s enterprise cybersecurity services help improve overall organizational security with industry best practices and advanced technology solutions.

Guardian Angel Cyber

Guardian Angel Cyber

Guardian Angel Cyber, is your trusted ally in safeguarding your digital assets and online presence.

Strobes Security

Strobes Security

Strobes is among the world’s first cybersecurity platforms specifically designed for end-to-end continuous threat exposure management.

Jitterbit

Jitterbit

Jitterbit integrates critical business processes and enables application development to deliver the experiences and insights needed by enterprises of all sizes to accelerate their digital journey.