Hackers Continue to Exploit the COVID-19 Pandemic in Malicious Campaigns

hackercovid_1920x960-1024x512

As the Coronavirus (COVID-19) pandemic continues to spread throughout the world, a growing number of malicious campaigns were identified, attempting to exploit the constant search for information and updates on the virus, in order to spread various types of malware.

In this blog post we share our analysis of one of the major Coronavirus related malicious campaigns and provide an overview of other campaigns. In addition, for your convenience, you will find at the end of the post a list of IoCs to implement in your security systems.

The COVID-19 Interactive Map – The Malicious Version

Security researchers have identified Russian cybercriminals selling malicious versions of the highly popular interactive map of COVID-19 cases around the world, created by Johns Hopkins Coronavirus Resource Center. In fact, these versions include infostealer malware, intended on stealing information from its victims’ computers.

john-hopkins-map-1024x349

John Hopkins Coronavirus Resource Center

sales-offer-on-russian-dark-web-forum

Sales Offer of Malicious Map in Russian Dark Web Forum
Source: Verint LUMINAR

In addition, a new malicious domain was discovered, coronavirusapp[.]site, which is offering to download an Android app that tracks the spread of the virus and also includes statistical data. However, the application is actually poisoned with CovidLock, a ransomware that changes the password used to unlock the device, thus denying the victims access to their phones. The victims are required to pay a ransom fee of US$100 in Bitcoin, or else, according to the ransom note, their contacts, pictures, videos and device’s memory will all be erased.

coronavirus-app-site

The Coronavirusapp[.]site domain.
Source: Domain Tools

Attack Methods

Security researchers have also discovered a new backdoor distributed in RAR format. The file includes an executable masquerading as a Microsoft Word file with information on COVID-19, intended to install the rest of the malware on the victim’s computer. The researchers estimate that file is being distributed via phishing emails.

A new ransomware called CoronaVirus was recently identified while being distributed through a fake website of WiseCleaner, a service offering system utilities for Windows OS. Download files on this malicious site act as downloaders for both the CoronaVirus ransomware and a stealer called Kpot. Additional campaigns utilize phishing emails with malicious attachments that supposedly include information and updates on Coronavirus, but in fact download different malware to the victims’ computers, including a banking Trojan called TrickBot, a Stealer called LokiBot and a Stealer called FormBook.

State-Sponsored Threat Actors Are Also Involved

Security researchers have also identified state-sponsored threat actors exploiting the COVID-19 panic to promote their interests and carry out attack campaigns.

  • In early March 2020, researchers discovered a campaign launched by a Chinese APT group against targets in Vietnam.
  • Another Chinese APT group attacked targets in Mongolia’s government using malicious documents that supposedly contain new information on the virus.
  • An APT group originating from North Korea has sent phishing messages to South Korean officials that ostensibly included a document detailing the reaction of the country to the pandemic.
  • Russian APT Group had sent malicious files, seemingly including updates on Coronavirus, in order to distribute a backdoor malware to targets in Ukraine.

We see that cybercriminals and state-sponsored threat actors are using the panic resulting from the Coronavirus pandemic, for phishing purposes and malware distribution. As the virus continues to spread across the world, preoccupying the global agenda, it can be estimated we will witness more campaigns exploiting the crisis.

To read the detailed analysis click here

For a list of IOCs click here


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s