An 'Infodemic' Of Phishing & Malware

The dreadful coronavirus is taking the world by storm, and mankind is on the threshold of serious changes over the pandemic officially declared on March 11, 2020.    
 
Also referred to as COVID-19 or 2019 Novel Coronavirus (2019-nCoV), this strain got out of hand in China and is now running rampant across different parts of the globe. At the time of this publication, the total number of reported coronavirus cases exceeds 126,000, so it comes as no surprise that the disease instills fear in people regardless of their residence.
 
It’s common knowledge that malicious actors follow the headlines and never miss hype trains. This time, they piggyback on the “infodemic” to orchestrate massive online scams and spread malware, demonstrating once again that the margin between real and cyber worlds is a slim one. This article will give you the lowdown on cybercrime implications of the COVID-19 outbreak and methods to safeguard your digital life against the escalating e-threat.
 
Coronavirus-themed Phishing On The Rise
Malefactors are increasingly cashing in on the panic to execute social engineering scams whose goal is to wheedle out sensitive information or money. To set these hoaxes in motion, crooks send numerous emails impersonating reputable healthcare organizations and requesting sensitive credentials or a donation to fund research and treatment of those infected.
 
The most massive phishing campaigns revolving around the COVID-19 theme are as follows.
 
The “Safety measures” email fraud
While trying to stay tuned for the latest updates about the unnerving disease subject, people run the risk of being ambushed in an ongoing scam wave. Cybercrooks have been busy sending bogus emails disguised as an official advisory from the World Health Organization (WHO) since early February 2020.
 
The lure is an embedded button saying “Safety Measures,” which supposedly leads to a file listing the entirety of up-to-date coronavirus precautions. Instead of triggering the purported download, though, the button forwards the recipient to a fabricated email verification form asking for their username and password.
 
A clever trick that plays into the fraudsters’ hands is that the “Verify Your E-mail” pop-up seems to be displayed on top of the legit WHO website. However, the genuine page is actually rendered within a frame constituting the malicious landing site. Once the unsuspecting user enters and submits their credentials, this information instantly goes to the felons, and the browser is redirected to www.who.int, the real web page of the World Health Organization.
 
Fortunately, several giveaways may help a vigilant user identify the scam. First of all, the criminals don’t take proofreading seriously, and therefore, the email body is full of spelling errors and awkward typos. Secondly, the WHO page replica is an HTTP site rather than HTTPS, which is a red flag many people will notice. Despite the imperfections, this hoax is still up and running.
 
Alert from the CDC? Not really
In another move, threat actors are sending phony emails impersonating the U.S. Centers for Disease Control and Prevention (CDC). These messages claim to notify the recipients about new contamination reports in their area as part of a recently established incident management system. 
 
This way, the scammers try to hoodwink users into clicking a bait link that purportedly leads to an “updated list of new cases” around their city. The resulting page is a phishing site that harvests the targets’ sensitive credentials. Unlike the above-mentioned fake WHO advisory scam, the email looks competently tailored and may be based on real CDC press release templates. Additionally, its subject has a stronger element of pressure and urgency making it more likely that people follow the fake hyperlink and give away their personal info.
 
COVID-19 scare as a source of malware distribution 
Cybercriminals’ efforts to exploit the coronavirus theme aren’t restricted to phishing. The delivery of malware payloads is one more vector of their shenanigans. In the wake of the current crisis, users may lose vigilance and it’s easier for crooks to dupe them into opening booby-trapped email attachments or downloading malicious files from sketchy resources. Here is a summary of notorious campaigns using the panic as leverage for spreading harmful code.
 
Remcos RAT gets a propagation boost
The remote access tool (RAT) dubbed Remcos originally surfaced in August 2019. It had mostly remained on the sidelines of the cybercrime ecosystem until its operators added the coronavirus theme to their distribution repertoire.
 
In late February 2020, analysts at Cybaze-Yoroi ZLab security firm came across a Remcos RAT payload camouflaged as an executable file named CoronaVirusSafetyMeasures_pdf.exe. This object was submitted to their malware sandbox service and it’s unclear how exactly it reaches victims at this point. The researchers believe the threat most likely arrives over email.
The role of the above-mentioned file is to drop the Remcos executable onto a computer along with a VBScript item that launches the RAT. To gain a firm foothold in the host system, the infection adds the “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” registry key to make sure it is triggered at boot time.
 
When running, Remcos RAT keeps tabs on the victim’s keystrokes and saves this information to the “logs.dat” file created in “%AppData%\Local\Temp\onedriv” path. All the data amassed in the course of this reconnaissance is sent to the criminals’ Command & Control server.
 
The opportunistic spike in Emotet malware circulation
The notorious info-stealing Trojan called Emotet is at the core of a coronavirus-themed spam campaign that broke out in late January 2020. It zeroes in on Japanese users via deceptive emails warning the recipients about infection cases in different regions of the country, including the Osaka, Gifu, and Tottori prefectures.
 
According to experts at IBM X-Force Threat Intelligence who unearthed this hoax, the fake messages are masqueraded as alerts issued by local healthcare centers. The text written in Japanese says new patients were reported in the would-be victim’s area. To learn the details, the user is instructed to open the Word document attached to this email. However, this file won’t display any content until the target clicks on a prompt to enable macros. This is a well-known malware deployment trick involving a VBA macro that covertly fires up a PowerShell command to download a harmful program (Emotet in this scenario).
 
Lokibot Trojan authors jump on the bandwagon
Another infamous info-stealer known as Lokibot follows in the footsteps of Emotet, capitalizing on the 2019-nCoV scare to make the rounds on a large scale. To deposit the malicious payload onto as many computers as possible, the threat actors are sending rogue emails disguised as an emergency regulation ordinance issued by the Ministry of Health of the People’s Republic of China.
 
Interestingly, the email includes the phrase “for the safety of your industry,” which is a clue suggesting that the campaign may primarily target businesses. The recipient is instructed to unpack the RAR archive attached to the message and then open the enclosed batch file named “Emergency Regulation.” This completes the infection chain and Lokibot starts collecting the victim’s passwords along with other sensitive data. When done, it submits the stolen information to a C2 server.
 
FormBook malware operators follow suit
The FormBook info-stealer is the latest addition to the series of digital threats whose distributors don’t mind taking advantage of the COVID-19 fears. Security analysts have recently stumbled upon bogus emails claiming to provide the “latest updates on coronavirus disease outbreak” on behalf of the World Health Organization.
 
These messages include a ZIP attachment containing a malicious binary named MyHealth.exe. This object turns out to be a relatively new malware downloader known as GuLoader. When triggered, it downloads a copy of FormBook from Google Drive cloud storage. To make sure that the second-stage payload slips below the radar of antivirus software, GuLoader injects the malicious process into wininit.exe, the legit Windows application launcher. The resulting malware is capable of logging the victim’s keystrokes, stealing clipboard information, and monitoring data related to web surfing sessions.
Pharma spam skyrockets
 
Fake online drug stores are rapidly gaining momentum amidst the global healthcare crisis. To lure people into visiting dubious pharmacy sites, criminals are employing several old school techniques that work well due to the hype around the terrifying respiratory illness.
 
According to the findings of researchers at cybersecurity company Imperva, the dominant vector boils down to comment spamming. This technique engages automated bots or scripts that inject malicious links into regular user comments on various websites. These URLs lead to counterfeit online pharmacies.
 
Not only can this method encourage some site visitors to click on the shady links, but it is also an element of a clever SEO strategy. A slew of trending coronavirus-related keywords sprinkled across these web pages might make them rank higher in search results, which potentially means more leads to the bogus sites selling worthless drugs.
 
In some scenarios, the links in malicious comments point to some neutral web pages providing general medical information or a real-time map that reflects the propagation of the disease. These ostensibly benign sites end up redirecting visitors to dubious pharma businesses.
 
How to avoid COVID-19 scams
Unfortunately, cybercriminals treat the widely publicized coronavirus threat as an opportunity to steal users’ sensitive information and promote malware. Therefore, if you receive an email claiming to be from the World Health Organization (WHO) or a local healthcare institution, think twice before clicking on a link in it or opening the attached file. If the message tries to pressure you into accessing some web page or downloading a file urgently, this can be a telltale sign of a scam. 
 
Here is a round-up of the recommendations on this matter from the U.S. Federal Trade Commission (FTC):
 
● Don’t click on links from unknown sources.
● Treat emails claiming to be from the Centers for Disease Control and Prevention (CDC) with caution. To get the latest information about the coronavirus, visit the official CDC or WHO website instead.
● Don’t fall for ads offering vaccinations.
● Refrain from making donations in cash, via a wire transfer, or by gift card, especially if someone sends you an email asking for it.
● Exercise caution with questionable investment opportunities marketed on social media and through other online channels. This tip is particularly relevant if a product or service is purported to prevent or cure COVID-19.
 
As an extra layer of defense against malware distribution campaigns relying on the coronavirus panic, be sure to use reliable security software that can detect suspicious payloads and block them before they cause harm.
 
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.
 
You Might Also Read: 
 
Stay Cyber-Secure Working From Home:
 
Beware Spoofing Attacks:
 
 
 
« The US Has A New 5G Security Strategy
The Risks Of Remote Working »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: 2024 and beyond: Top six cloud security trends

ON-DEMAND WEBINAR: 2024 and beyond: Top six cloud security trends

Learn about the top cloud security trends in 2024 and beyond, along with solutions and controls you can implement as part of your security strategy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Code Decode Labs

Code Decode Labs

Code Decode Labs provides consulting for IT Technology, Cyber Security, Advanced Defense & Policing Technologies, Intelligent Networks, and Information Security.

IronScales

IronScales

IronScales combines human intelligence with machine learning to automatically prevent, detect and respond to email phishing attacks.

Flexential

Flexential

Flexential helps organizations optimize their journey of IT transformation while simultaneously balancing cost, scalability, compliance and security.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

Kymatio

Kymatio

Kymatio are pioneers in Artificial Intelligence applied to adaptive staff strengthening, cultural change and predictive internal risk analysis.

Digi International

Digi International

Digi is a leading global provider of mission-critical and business-critical machine-to-machine (M2M) and Internet of Things (IoT) connectivity products and services.

CyCraft Technology Corp

CyCraft Technology Corp

CyCraft is an AI company that forges the future of cybersecurity resilience through autonomous systems and human-AI collaboration.

CYRISMA

CYRISMA

CYRISMA is a revolutionary cybersecurity platform that helps organizations manage risk without the usual headaches associated with enterprise cybersecurity tools.

Accurics

Accurics

Accurics enables self-healing cloud native infrastructure by codifying security throughout your development lifecycle.

Wavex Technology

Wavex Technology

Wavex Technology is an award winning IT Services firm offering clients a secure and fully managed IT service.

SessionGuardian

SessionGuardian

SessionGuardian (formerly SecureReview) is the world's first and only technology which ensures second-by-second biometric identity verification of your remote user, from log on to log off.

Ankura Consulting Group

Ankura Consulting Group

Ankura is a global expert services and advisory firm that delivers services and end-to-end solutions in a wide range of areas including cybersecurity and digital transformation.

North East Business Resilience Centre (NEBRC)

North East Business Resilience Centre (NEBRC)

The North East Business Resilience Centre is a non-profit organisation here to support businesses in the North East of England in protecting themselves from cyber crimes and fraud.

RAND Corporation

RAND Corporation

The RAND Corporation is a non-profit institution that helps improve policy and decision making through research and analysis.

Bastion Networks

Bastion Networks

Bastion are a security-focussed managed solution provider and consultancy. We work with advanced cyber security vendors to produce managed security solutions to protect from online threats.

Tychon

Tychon

Tychon develops advanced enterprise endpoint management technology that enables commercial and government organizations to bridge the gap between security and IT operations.