An 'Infodemic' Of Phishing & Malware

The dreadful coronavirus is taking the world by storm, and mankind is on the threshold of serious changes over the pandemic officially declared on March 11, 2020.    
 
Also referred to as COVID-19 or 2019 Novel Coronavirus (2019-nCoV), this strain got out of hand in China and is now running rampant across different parts of the globe. At the time of this publication, the total number of reported coronavirus cases exceeds 126,000, so it comes as no surprise that the disease instills fear in people regardless of their residence.
 
It’s common knowledge that malicious actors follow the headlines and never miss hype trains. This time, they piggyback on the “infodemic” to orchestrate massive online scams and spread malware, demonstrating once again that the margin between real and cyber worlds is a slim one. This article will give you the lowdown on cybercrime implications of the COVID-19 outbreak and methods to safeguard your digital life against the escalating e-threat.
 
Coronavirus-themed Phishing On The Rise
Malefactors are increasingly cashing in on the panic to execute social engineering scams whose goal is to wheedle out sensitive information or money. To set these hoaxes in motion, crooks send numerous emails impersonating reputable healthcare organizations and requesting sensitive credentials or a donation to fund research and treatment of those infected.
 
The most massive phishing campaigns revolving around the COVID-19 theme are as follows.
 
The “Safety measures” email fraud
While trying to stay tuned for the latest updates about the unnerving disease subject, people run the risk of being ambushed in an ongoing scam wave. Cybercrooks have been busy sending bogus emails disguised as an official advisory from the World Health Organization (WHO) since early February 2020.
 
The lure is an embedded button saying “Safety Measures,” which supposedly leads to a file listing the entirety of up-to-date coronavirus precautions. Instead of triggering the purported download, though, the button forwards the recipient to a fabricated email verification form asking for their username and password.
 
A clever trick that plays into the fraudsters’ hands is that the “Verify Your E-mail” pop-up seems to be displayed on top of the legit WHO website. However, the genuine page is actually rendered within a frame constituting the malicious landing site. Once the unsuspecting user enters and submits their credentials, this information instantly goes to the felons, and the browser is redirected to www.who.int, the real web page of the World Health Organization.
 
Fortunately, several giveaways may help a vigilant user identify the scam. First of all, the criminals don’t take proofreading seriously, and therefore, the email body is full of spelling errors and awkward typos. Secondly, the WHO page replica is an HTTP site rather than HTTPS, which is a red flag many people will notice. Despite the imperfections, this hoax is still up and running.
 
Alert from the CDC? Not really
In another move, threat actors are sending phony emails impersonating the U.S. Centers for Disease Control and Prevention (CDC). These messages claim to notify the recipients about new contamination reports in their area as part of a recently established incident management system. 
 
This way, the scammers try to hoodwink users into clicking a bait link that purportedly leads to an “updated list of new cases” around their city. The resulting page is a phishing site that harvests the targets’ sensitive credentials. Unlike the above-mentioned fake WHO advisory scam, the email looks competently tailored and may be based on real CDC press release templates. Additionally, its subject has a stronger element of pressure and urgency making it more likely that people follow the fake hyperlink and give away their personal info.
 
COVID-19 scare as a source of malware distribution 
Cybercriminals’ efforts to exploit the coronavirus theme aren’t restricted to phishing. The delivery of malware payloads is one more vector of their shenanigans. In the wake of the current crisis, users may lose vigilance and it’s easier for crooks to dupe them into opening booby-trapped email attachments or downloading malicious files from sketchy resources. Here is a summary of notorious campaigns using the panic as leverage for spreading harmful code.
 
Remcos RAT gets a propagation boost
The remote access tool (RAT) dubbed Remcos originally surfaced in August 2019. It had mostly remained on the sidelines of the cybercrime ecosystem until its operators added the coronavirus theme to their distribution repertoire.
 
In late February 2020, analysts at Cybaze-Yoroi ZLab security firm came across a Remcos RAT payload camouflaged as an executable file named CoronaVirusSafetyMeasures_pdf.exe. This object was submitted to their malware sandbox service and it’s unclear how exactly it reaches victims at this point. The researchers believe the threat most likely arrives over email.
The role of the above-mentioned file is to drop the Remcos executable onto a computer along with a VBScript item that launches the RAT. To gain a firm foothold in the host system, the infection adds the “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” registry key to make sure it is triggered at boot time.
 
When running, Remcos RAT keeps tabs on the victim’s keystrokes and saves this information to the “logs.dat” file created in “%AppData%\Local\Temp\onedriv” path. All the data amassed in the course of this reconnaissance is sent to the criminals’ Command & Control server.
 
The opportunistic spike in Emotet malware circulation
The notorious info-stealing Trojan called Emotet is at the core of a coronavirus-themed spam campaign that broke out in late January 2020. It zeroes in on Japanese users via deceptive emails warning the recipients about infection cases in different regions of the country, including the Osaka, Gifu, and Tottori prefectures.
 
According to experts at IBM X-Force Threat Intelligence who unearthed this hoax, the fake messages are masqueraded as alerts issued by local healthcare centers. The text written in Japanese says new patients were reported in the would-be victim’s area. To learn the details, the user is instructed to open the Word document attached to this email. However, this file won’t display any content until the target clicks on a prompt to enable macros. This is a well-known malware deployment trick involving a VBA macro that covertly fires up a PowerShell command to download a harmful program (Emotet in this scenario).
 
Lokibot Trojan authors jump on the bandwagon
Another infamous info-stealer known as Lokibot follows in the footsteps of Emotet, capitalizing on the 2019-nCoV scare to make the rounds on a large scale. To deposit the malicious payload onto as many computers as possible, the threat actors are sending rogue emails disguised as an emergency regulation ordinance issued by the Ministry of Health of the People’s Republic of China.
 
Interestingly, the email includes the phrase “for the safety of your industry,” which is a clue suggesting that the campaign may primarily target businesses. The recipient is instructed to unpack the RAR archive attached to the message and then open the enclosed batch file named “Emergency Regulation.” This completes the infection chain and Lokibot starts collecting the victim’s passwords along with other sensitive data. When done, it submits the stolen information to a C2 server.
 
FormBook malware operators follow suit
The FormBook info-stealer is the latest addition to the series of digital threats whose distributors don’t mind taking advantage of the COVID-19 fears. Security analysts have recently stumbled upon bogus emails claiming to provide the “latest updates on coronavirus disease outbreak” on behalf of the World Health Organization.
 
These messages include a ZIP attachment containing a malicious binary named MyHealth.exe. This object turns out to be a relatively new malware downloader known as GuLoader. When triggered, it downloads a copy of FormBook from Google Drive cloud storage. To make sure that the second-stage payload slips below the radar of antivirus software, GuLoader injects the malicious process into wininit.exe, the legit Windows application launcher. The resulting malware is capable of logging the victim’s keystrokes, stealing clipboard information, and monitoring data related to web surfing sessions.
Pharma spam skyrockets
 
Fake online drug stores are rapidly gaining momentum amidst the global healthcare crisis. To lure people into visiting dubious pharmacy sites, criminals are employing several old school techniques that work well due to the hype around the terrifying respiratory illness.
 
According to the findings of researchers at cybersecurity company Imperva, the dominant vector boils down to comment spamming. This technique engages automated bots or scripts that inject malicious links into regular user comments on various websites. These URLs lead to counterfeit online pharmacies.
 
Not only can this method encourage some site visitors to click on the shady links, but it is also an element of a clever SEO strategy. A slew of trending coronavirus-related keywords sprinkled across these web pages might make them rank higher in search results, which potentially means more leads to the bogus sites selling worthless drugs.
 
In some scenarios, the links in malicious comments point to some neutral web pages providing general medical information or a real-time map that reflects the propagation of the disease. These ostensibly benign sites end up redirecting visitors to dubious pharma businesses.
 
How to avoid COVID-19 scams
Unfortunately, cybercriminals treat the widely publicized coronavirus threat as an opportunity to steal users’ sensitive information and promote malware. Therefore, if you receive an email claiming to be from the World Health Organization (WHO) or a local healthcare institution, think twice before clicking on a link in it or opening the attached file. If the message tries to pressure you into accessing some web page or downloading a file urgently, this can be a telltale sign of a scam. 
 
Here is a round-up of the recommendations on this matter from the U.S. Federal Trade Commission (FTC):
 
● Don’t click on links from unknown sources.
● Treat emails claiming to be from the Centers for Disease Control and Prevention (CDC) with caution. To get the latest information about the coronavirus, visit the official CDC or WHO website instead.
● Don’t fall for ads offering vaccinations.
● Refrain from making donations in cash, via a wire transfer, or by gift card, especially if someone sends you an email asking for it.
● Exercise caution with questionable investment opportunities marketed on social media and through other online channels. This tip is particularly relevant if a product or service is purported to prevent or cure COVID-19.
 
As an extra layer of defense against malware distribution campaigns relying on the coronavirus panic, be sure to use reliable security software that can detect suspicious payloads and block them before they cause harm.
 
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.
 
You Might Also Read: 
 
Stay Cyber-Secure Working From Home:
 
Beware Spoofing Attacks:
 
 
 
« The US Has A New 5G Security Strategy
The Risks Of Remote Working »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

April 4, 2024 | 11:00 AM PT: Join this webinar to find out about six emerging trends dominating the cloud cybersecurity landscape.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Quttera

Quttera

Quttera provides Website Security Solutions for Small & Medium Businesses, Enterprises and Organizations.

Mellanox Technologies

Mellanox Technologies

Mellanox Technologies is a leading supplier of end-to-end Ethernet and InfiniBand intelligent interconnect solutions and services for servers, storage, and hyper-converged infrastructure.

Mobile Mentor

Mobile Mentor

Mobile Mentor is an independent provider of enterprise mobility solutions in New Zealand and Australia.

CLUSIS

CLUSIS

CLUSIS is an association for the information security industry in Switzerland.

Norwegian Center for Information Security (NorSIS)

Norwegian Center for Information Security (NorSIS)

NorSIS) is an independent organization that works to increase knowledge and understanding of information security for businesses and individuals.

Seric Systems

Seric Systems

Seric is a technology business specialising in security, infrastructure and data management.

HexaTrust

HexaTrust

The HEXATRUST club was founded by a group of French SMEs that are complementary players with expertise in information security systems, cybersecurity, cloud confidence and digital trust.

ST Engineering

ST Engineering

ST Engineering is a leading provider of trusted and innovative cybersecurity solutions.

Dellfer

Dellfer

Dellfer secures connected cars and other IOT devices through Intrinsic protection, enabling the most sophisticated cybersecurity attacks to be seen instantly and remediated with precision.

Voxility

Voxility

Voxility provides Infrastructure-as-a-Service in the biggest Internet hubs in the world.

Cypress Data Defense

Cypress Data Defense

Cypress Data Defense helps clients build secure applications by providing training, best practices, and evaluating security during every stage of the Secure Application Development Lifecycle.

Ward Solutions

Ward Solutions

Ward Solutions are an information security consultancy and managed services company. We help organisations protect their brand, people, assets, intellectual property and profits.

Hub71

Hub71

Hub71 is a world-class tech ecosystem opening doors to global opportunities from an optimal business environment for entrepreneurial-minded innovators.

Ascent Solutions

Ascent Solutions

Ascent is built to help firms evolve their cybersecurity posture, modernize their Microsoft solutions, and accelerate their journey to the cloud.

Sekur Private Data

Sekur Private Data

Sekur Private Data Ltd. is a Cybersecurity and Internet privacy provider of Swiss hosted solutions for secure communications and secure data management.

OxCyber

OxCyber

OxCyber's mission is to ignite and encourage cybersecurity and technology growth in the Thames Valley through meetings, webinars, in person events, workshops and mentorship programs.