An 'Infodemic' Of Phishing & Malware

The dreadful coronavirus is taking the world by storm, and mankind is on the threshold of serious changes over the pandemic officially declared on March 11, 2020.    
 
Also referred to as COVID-19 or 2019 Novel Coronavirus (2019-nCoV), this strain got out of hand in China and is now running rampant across different parts of the globe. At the time of this publication, the total number of reported coronavirus cases exceeds 126,000, so it comes as no surprise that the disease instills fear in people regardless of their residence.
 
It’s common knowledge that malicious actors follow the headlines and never miss hype trains. This time, they piggyback on the “infodemic” to orchestrate massive online scams and spread malware, demonstrating once again that the margin between real and cyber worlds is a slim one. This article will give you the lowdown on cybercrime implications of the COVID-19 outbreak and methods to safeguard your digital life against the escalating e-threat.
 
Coronavirus-themed Phishing On The Rise
Malefactors are increasingly cashing in on the panic to execute social engineering scams whose goal is to wheedle out sensitive information or money. To set these hoaxes in motion, crooks send numerous emails impersonating reputable healthcare organizations and requesting sensitive credentials or a donation to fund research and treatment of those infected.
 
The most massive phishing campaigns revolving around the COVID-19 theme are as follows.
 
The “Safety measures” email fraud
While trying to stay tuned for the latest updates about the unnerving disease subject, people run the risk of being ambushed in an ongoing scam wave. Cybercrooks have been busy sending bogus emails disguised as an official advisory from the World Health Organization (WHO) since early February 2020.
 
The lure is an embedded button saying “Safety Measures,” which supposedly leads to a file listing the entirety of up-to-date coronavirus precautions. Instead of triggering the purported download, though, the button forwards the recipient to a fabricated email verification form asking for their username and password.
 
A clever trick that plays into the fraudsters’ hands is that the “Verify Your E-mail” pop-up seems to be displayed on top of the legit WHO website. However, the genuine page is actually rendered within a frame constituting the malicious landing site. Once the unsuspecting user enters and submits their credentials, this information instantly goes to the felons, and the browser is redirected to www.who.int, the real web page of the World Health Organization.
 
Fortunately, several giveaways may help a vigilant user identify the scam. First of all, the criminals don’t take proofreading seriously, and therefore, the email body is full of spelling errors and awkward typos. Secondly, the WHO page replica is an HTTP site rather than HTTPS, which is a red flag many people will notice. Despite the imperfections, this hoax is still up and running.
 
Alert from the CDC? Not really
In another move, threat actors are sending phony emails impersonating the U.S. Centers for Disease Control and Prevention (CDC). These messages claim to notify the recipients about new contamination reports in their area as part of a recently established incident management system. 
 
This way, the scammers try to hoodwink users into clicking a bait link that purportedly leads to an “updated list of new cases” around their city. The resulting page is a phishing site that harvests the targets’ sensitive credentials. Unlike the above-mentioned fake WHO advisory scam, the email looks competently tailored and may be based on real CDC press release templates. Additionally, its subject has a stronger element of pressure and urgency making it more likely that people follow the fake hyperlink and give away their personal info.
 
COVID-19 scare as a source of malware distribution 
Cybercriminals’ efforts to exploit the coronavirus theme aren’t restricted to phishing. The delivery of malware payloads is one more vector of their shenanigans. In the wake of the current crisis, users may lose vigilance and it’s easier for crooks to dupe them into opening booby-trapped email attachments or downloading malicious files from sketchy resources. Here is a summary of notorious campaigns using the panic as leverage for spreading harmful code.
 
Remcos RAT gets a propagation boost
The remote access tool (RAT) dubbed Remcos originally surfaced in August 2019. It had mostly remained on the sidelines of the cybercrime ecosystem until its operators added the coronavirus theme to their distribution repertoire.
 
In late February 2020, analysts at Cybaze-Yoroi ZLab security firm came across a Remcos RAT payload camouflaged as an executable file named CoronaVirusSafetyMeasures_pdf.exe. This object was submitted to their malware sandbox service and it’s unclear how exactly it reaches victims at this point. The researchers believe the threat most likely arrives over email.
The role of the above-mentioned file is to drop the Remcos executable onto a computer along with a VBScript item that launches the RAT. To gain a firm foothold in the host system, the infection adds the “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” registry key to make sure it is triggered at boot time.
 
When running, Remcos RAT keeps tabs on the victim’s keystrokes and saves this information to the “logs.dat” file created in “%AppData%\Local\Temp\onedriv” path. All the data amassed in the course of this reconnaissance is sent to the criminals’ Command & Control server.
 
The opportunistic spike in Emotet malware circulation
The notorious info-stealing Trojan called Emotet is at the core of a coronavirus-themed spam campaign that broke out in late January 2020. It zeroes in on Japanese users via deceptive emails warning the recipients about infection cases in different regions of the country, including the Osaka, Gifu, and Tottori prefectures.
 
According to experts at IBM X-Force Threat Intelligence who unearthed this hoax, the fake messages are masqueraded as alerts issued by local healthcare centers. The text written in Japanese says new patients were reported in the would-be victim’s area. To learn the details, the user is instructed to open the Word document attached to this email. However, this file won’t display any content until the target clicks on a prompt to enable macros. This is a well-known malware deployment trick involving a VBA macro that covertly fires up a PowerShell command to download a harmful program (Emotet in this scenario).
 
Lokibot Trojan authors jump on the bandwagon
Another infamous info-stealer known as Lokibot follows in the footsteps of Emotet, capitalizing on the 2019-nCoV scare to make the rounds on a large scale. To deposit the malicious payload onto as many computers as possible, the threat actors are sending rogue emails disguised as an emergency regulation ordinance issued by the Ministry of Health of the People’s Republic of China.
 
Interestingly, the email includes the phrase “for the safety of your industry,” which is a clue suggesting that the campaign may primarily target businesses. The recipient is instructed to unpack the RAR archive attached to the message and then open the enclosed batch file named “Emergency Regulation.” This completes the infection chain and Lokibot starts collecting the victim’s passwords along with other sensitive data. When done, it submits the stolen information to a C2 server.
 
FormBook malware operators follow suit
The FormBook info-stealer is the latest addition to the series of digital threats whose distributors don’t mind taking advantage of the COVID-19 fears. Security analysts have recently stumbled upon bogus emails claiming to provide the “latest updates on coronavirus disease outbreak” on behalf of the World Health Organization.
 
These messages include a ZIP attachment containing a malicious binary named MyHealth.exe. This object turns out to be a relatively new malware downloader known as GuLoader. When triggered, it downloads a copy of FormBook from Google Drive cloud storage. To make sure that the second-stage payload slips below the radar of antivirus software, GuLoader injects the malicious process into wininit.exe, the legit Windows application launcher. The resulting malware is capable of logging the victim’s keystrokes, stealing clipboard information, and monitoring data related to web surfing sessions.
Pharma spam skyrockets
 
Fake online drug stores are rapidly gaining momentum amidst the global healthcare crisis. To lure people into visiting dubious pharmacy sites, criminals are employing several old school techniques that work well due to the hype around the terrifying respiratory illness.
 
According to the findings of researchers at cybersecurity company Imperva, the dominant vector boils down to comment spamming. This technique engages automated bots or scripts that inject malicious links into regular user comments on various websites. These URLs lead to counterfeit online pharmacies.
 
Not only can this method encourage some site visitors to click on the shady links, but it is also an element of a clever SEO strategy. A slew of trending coronavirus-related keywords sprinkled across these web pages might make them rank higher in search results, which potentially means more leads to the bogus sites selling worthless drugs.
 
In some scenarios, the links in malicious comments point to some neutral web pages providing general medical information or a real-time map that reflects the propagation of the disease. These ostensibly benign sites end up redirecting visitors to dubious pharma businesses.
 
How to avoid COVID-19 scams
Unfortunately, cybercriminals treat the widely publicized coronavirus threat as an opportunity to steal users’ sensitive information and promote malware. Therefore, if you receive an email claiming to be from the World Health Organization (WHO) or a local healthcare institution, think twice before clicking on a link in it or opening the attached file. If the message tries to pressure you into accessing some web page or downloading a file urgently, this can be a telltale sign of a scam. 
 
Here is a round-up of the recommendations on this matter from the U.S. Federal Trade Commission (FTC):
 
● Don’t click on links from unknown sources.
● Treat emails claiming to be from the Centers for Disease Control and Prevention (CDC) with caution. To get the latest information about the coronavirus, visit the official CDC or WHO website instead.
● Don’t fall for ads offering vaccinations.
● Refrain from making donations in cash, via a wire transfer, or by gift card, especially if someone sends you an email asking for it.
● Exercise caution with questionable investment opportunities marketed on social media and through other online channels. This tip is particularly relevant if a product or service is purported to prevent or cure COVID-19.
 
As an extra layer of defense against malware distribution campaigns relying on the coronavirus panic, be sure to use reliable security software that can detect suspicious payloads and block them before they cause harm.
 
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.
 
You Might Also Read: 
 
Stay Cyber-Secure Working From Home:
 
Beware Spoofing Attacks:
 
 
 
« The US Has A New 5G Security Strategy
The Risks Of Remote Working »

Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

WEBINAR: How To Build A Security Observability Strategy In AWS

WEBINAR: How To Build A Security Observability Strategy In AWS

Thursday, Apr 22, 2021 - Join this webinar to learn how to build a security observability strategy in AWS, covering cloud-native monitoring sources, guardrails, and automation capabilities.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Free Access: Cyber Security Supplier Directory listing 5,000+ specialist service providers.

Aeriandi

Aeriandi

Aeriandi is a leading provider of hosted PCI security compliance solutions for call centres, trusted by high street banks and major Telcos.

Neurosoft

Neurosoft

Neursoft is a fully integrated ICT company with Software Development, System Integration and Information Technology Security capabilities.

Gulf IT Solutions

Gulf IT Solutions

Gulf Computer Services is a major player in the field of networking & Communication solutions for emerging industries such as Internet Services and Information Technology in Saudi Arabia.

Valire Software

Valire Software

Valire provide a solution for the automated detection of internal fraud.

CYR3CON

CYR3CON

Harness the power of artificial intelligence with CYR3CON's unique, hacker-centric approach to predicting and preventing cyber attacks.

Adzuna

Adzuna

Adzuna is a search engine for job ads used by over 10 million visitors per month that aims to list every job everywhere, including thousands of vacancies in Cybersecurity.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

OriginalMy

OriginalMy

OriginalMy is a cybersecurity startup, focussed on digital governance and information authentication. Its mission is to prove authenticity using state-of-the-art cryptography and blockchain technology