March 27, 2020 | By Aviv Mizrahi, Senior Analyst TSOC
Protection Against COVID-19 Malicious Campaigns and Malware
While the world is struggling to get a grip over one of the most advanced pandemics – COVID-19, cyber criminals, and sophisticated adversaries are using this as an opportunity to lure victims, with COVID-19 and Coronavirus related baits. In the last couple of weeks, we have seen a massive increase in the pandemic related scams, phishing and malware campaigns.
Increasing Threat Landscape
Cyber criminals are taking advantage of the COVID-19 fears and are engaging users with different tactics and techniques to advance multiple attack vectors whether that be Phishing email scams, use of fake domains or malware.
It has been observed that known malware such as TrickBot and Emotet Trojans are adding text from pandemic related news stories, in an attempt to bypass security software which, uses artificial intelligence and machine learning to detect malware.
We are also seeing adversaries distributing malware via registering COVID-19 related domains. As per multiple reports, more than 6000 related scan and malware sites are being generated every week – hosting malware laced files, phishing attack vectors or elements to trick users into paying for fake COVID-19 cures causing financial fraud.
Although the geographic concentration of potential targets is relatively wide as per McAfee’s classification, this does not seem to be an organized and targeted attack on any geographies.
COVID-19 Malicious Campaign’s and Attack Patterns
Adversaries are targeting individuals across all the industries with treacherous campaigns and attack categories. Some of the most common campaigns include:
Click here for a cure – In this campaign, messages are received from a person impersonating to be a doctor appealing to have insights about a vaccine that is being concealed by the UK and Chinese government. Once clicked the potential victims are taken to a spoof webpage designed to harvest login details.
Covid-19 tax refund – In this campaign, the attackers imitate the government sites reflecting new tax schemes in which they show taxes as payments for National insurance and National Health Services. Once a victim clicks on the link with the message “access your funds now”, it takes them to bogus government web portal persuading them to feed in their financial and tax information.
A little measure that saves – Adversaries in this scenario pretends to be WHO representative claiming an attached document to contain details regarding how the disease can be prevented from spreading. The attachment doesn’t contain any useful advice and instead infects computers with malicious keylogger malware called AgentTesla Keylogger.
APT36, is a Pakistani state-sponsored threat actor who is administrating a spear phishing campaign using Coronavirus themed baits, to deploy Crimson Remote Administration Tool (RAT) onto target systems.
A fake real-time coronavirus tracking Android app, called “COVID19 Tracker,” has been identified to abuse user permissions to modify the phone’s lock screen credentials and install CovidLock ransomware.
Recommendations Against These Campaigns
We recommend the following measures to protect from such malicious campaigns and attack vectors.
- Secure Remote Access – Organizations must ensure that secure remote access technologies should be deployed across the environment, with the use of multi-factor authentication, to enable employees to conduct business remotely in a secure fashion.
- The use of unauthorized devices – It is recommended during such times, to avoid using unauthorized personal devices for work. However, in case if the personal devices are used for official purposes, it is highly recommended to maintain the same level of security/hardening as per the organization managed asset. Employees would also need to consider the privacy implication of the personal devices connected to the corporate network.
- Stay alert for emails and files received from unknown senders. Predominantly recipients of suspicious emails are encouraged to verify the ostensible sender via alternate communication methods, via secure channels and not use the contact information provided in a message.
- Awareness – Educating users on current threats, the dangers of opening attachments or clicking links from untrusted sources, and the basic actions needed to prevent infection.
- Secure VPN Access – For users who are connecting via VPN, there may be no assurance that they are connecting from a secure environment. Thus, organizations may want to enforce certain assets only being accessible via the VPN.
- Secure cloud collaboration – Many organizations leverage cloud-based services such as Microsoft Teams and WebEx to collaborate internally and externally (to brokers, third parties, etc.). It is thus recommended to ensure that they apply corporate DLP policies to those cloud-native applications.
We believe with high confidence that COVID-19 is becoming a significant factor for social engineering themes, and threat actors are registering and using COVID-19 related domains to facilitate credential theft, fraud, and malware related attacks. Thus, it is critical to follow the recommendations which would enable ways to manage the risks across all the industries, helping organizations to maintain a business in normal state during such pandemic.
Stay Safe with TrustNet!