How the fraudsters of Runet reacted to coronavirus

After a note on what forms cyberthreats associated with coronavirus take, I decided to look at how the Russian Internet responded to a pandemic and what happens to cyberthreats in our country, namely phishing and fraudulent sites.



As a starting point, I began to use our DNS monitoring and protection service - Cisco Umbrella , which processes more than 150 billion DNS queries per day and analyzes them for malware. Using the Cisco Umbrella Investigate Investigation Tool , the first thing I decided to do was check how actively domains are being created that use the keywords “covid” and “coronavirus” in their names. Over the past 7 days, the following appeared:

- 257 domains with “coronavirus”, of which 170 we classified as malicious



— 271 domains with “covid”, of which 121



- 349 domains with “mask” were classified as malicious (and their number is constantly growing) , of which only 9 are classified as malicious and 1 as phishing.



The classification of malicious domains is still preliminary, since many domains are only registered but not yet used by cybercriminals.



Take for example the covid19-russia [.] Ru domain and try to conduct a blitz investigation on it:



The domain was registered on March 17, which is generally unsurprising and should not cause suspicion in this particular case, as in other cases in which the date of creation of the domain is a very important indicator for detecting malicious activity. For a coronavirus pandemic, it is difficult to expect what was known about it last year or earlier. Therefore, the domains dedicated to the coronavirus began to appear only now.



Let's look at the IP address on which this domain hangs. As we can see, it is also a refuge for a number of domains, some of which are associated with the current pandemic:



And we have the same address associated with a number of malicious programs that either spread from the specified IP address or sites that are hanging on it, or they use this address as a kill switch, or use it as a command server, which sends the appropriate commands and receives responses from victims infected with malicious code. The first in the list of malicious samples associated with the specified IP, we see Emotet, already mentioned in the previous article:



This sample is used in other campaigns judging by the analysis of its network interaction:



If you use another Cisco service, namely the sandboxCisco Threat Grid , then we can obtain more detailed information on this sample, for example, a detailed list of behavioral indicators that “worked” in this case:



Analyzing the processes that were launched as part of Emotet’s work on the victim’s computer:



we understand that in this In the case, it was a MS Word document that was received / downloaded by a victim interacting with the IP address and domain we are examining:



If necessary, we can link the identified indicators with the MITER ATT & CK matrix, which is used by many SOCs as part of its activities:



But back to the analysis of the IP address we are interested in, on which several domains that exploit the coronavirus theme “hang”. This address is located in the autonomous system AS198610, which is also associated with certain malicious activity, for example, from the online distribution map COVID-19 coronavirusmaponline [.] Com:



which was created on March 23, 2020:



and on whose website April 1 malicious code has appeared. Maybe this happened on purpose, or maybe the site was just hacked and malware was placed on it; this requires a separate investigation.



I did not analyze all the hundreds of sites that were created in the last week (and in a month their number has already exceeded one thousand), but the picture is similar on them. Most of the sites whose names contain the words “covid” or “coronavirus” are malicious and under the guise of news about a pandemic, about the real number of cases, about ways to combat COVID-19, they spread malicious code and infect users with quite “familiar” malware programs.

Unsurprisingly, behind the big names there is usually nothing. Often this is a quickly created WordPress site, for example, like coronavirus19-pandemia [.] Ru:



At the same time, an attempt to run such sites through the Cisco Threat Grid reveals various anomalies that may be inherent in the malicious code (although this may be the crooked hands of programmers who “quickly” created the site from what it was). I did not begin to conduct a deeper analysis of each site due to lack of time. But recalling the last post where I mentioned the malicious plugin for WordPress, as well as the common practice of hacking WordPress sites and spreading malicious code through them, I can assume that over time this site will show its true face.



Another interesting observation that I made is related to a certain community of created domains. For example, the time when we first noticed them. For some reason, many of them fell into our sight at the same time.



But often they are located in the same autonomous system. For example, three domains are the previously mentioned coronavirus19-pandemia [.] Ru, maskacoronavirus [.] Ru and mask-3m [.] Ru. For some reason, all three of them are located in AS 197695 and many of them are marked by Cisco Umbrella as malicious, with a maximum negative rating of 100. The mask-3m [.] Ru domain itself has a non-dangerous rating (at the time of writing, 28), but it is hosted on the IP address 31 [.] 31 [.] 196 [.] 138, which is on our blacklist and which is associated with various malicious activity:



By the way, this autonomous system AS 197695 has become a haven for many malicious resources. For example, it hosts the phishing site telegramm1 [.] Ru:



as well as awitoo [.] ru, which not only looks like a phishing site, but also spreads malicious code. Here is how the Cisco Threat Response system displays the links between this domain and various artifacts :



Phishing domains associated with the Voice 1 project, Facebook social network, Amazon online store, iCloud service and other Apple projects are also located there. with optical stores "Ochkarik", and many others.

The topic of sites that collect money to fight against coronavirus is not ignored. For example, here is a coronavirus fund that collects such donations (you just need to transfer money to a card):



A similar picture is with the covid-money [.] Ru website, which teaches how to make money on COVID-19. To do this, leave the appropriate application and a manager will contact you, who will tell you the secrets of earning. True, both of these sites, Ukrainian and Russian, “hang” on the same IP with which we found the associated malicious code:



For a strange coincidence, a domain was also attached to it, supposedly, Cisco:



By the way, such “ breeding grounds for cybercoronavirus, when at the same address or in a single autonomous network, there are several malicious resources, quite a lot. For example, on IP 88 [.] 212 [.] 232 [.] 188 several dozens of domains “hang” at once, which, judging by their names, are aimed at specific cities of Russia - Yekaterinburg, Saratov, Irkutsk, Kazan, Belgorod, Khabarovsk and etc.



Now I would like to return to the domain from which I started this article. This domain "hangs" on the IP address 87 [.] 236 [.] 16 [.] 164, with which, in addition to dozens of other domains, a domain with an interesting address is associated: antivirus.ru [.] Com. When the Cisco Threat Response identified him as suspicious in the course of the investigation, I first thought that the site on this domain distributes antiviruses by analogy with the story I told about last time (a software antivirus that fights against real COVID-19).



But no. It turned out that this is the site of the online store, created on March 6. I got the impression that those who created it took the ready-made engine for the women's clothing store as the basis and simply added “hot” goods related to coronavirus — medical masks, antiseptics, hand gels and gloves.



But either the developers didn’t get their hands on it, or they didn’t want to do it, but now it’s impossible to buy anything on the site - the purchase links lead nowhere. In addition to advertising a very specific antimicrobial agent and suspicious activity on the site itself in the process of its execution, the site has nothing more useful. And he has nothing to visit, and this number is measured in units. But as the following example will show, if you start to promote this domain, then it can lead to the branched infrastructure used by cybercriminals.



With domains in the name of which the word “mask” is mentioned, the situation continues to develop rapidly. Some domains are created specifically for subsequent sale. Some domains have only been created, but are not yet involved. Some domains are obviously phishing or directly spread malicious code. Some resources simply parasitize on the topic of a pandemic and at exorbitant prices sell respirators and medical masks, which until recently cost 3-5 rubles apiece. And very often all these domains are interconnected, as shown above. Someone creates and manages this kind of infrastructure of malicious domains, exploiting the theme of coronavirus.

It should be noted that a similar situation is noted not only in Runet. Take the domain mygoodmask [.] Com, which was created on February 27 and, judging by the distribution of requests to it, was popular with audiences in the United States, Singapore and China. He also sold medical masks. This site alone did not raise any suspicions and entering its address in the Cisco Threat Response we will not see anything interesting:



But without stopping at this, we go further and understand that when we try to access mygoodmask [.] Com (note that the behavioral indicators in this case are similar to the previous one):



we are redirected to greatmasks [.] com, which resolves to two IP addresses - 37 [.] 72 [.] 184 [.] 5 and 196 [.] 196 [.] 3 [.] 246, the last of which is malicious and has hosted many malicious sites over the past few years. The first IP address resolves to several domains related to the sale of medical masks - safetysmask [.] Com, flumaskstore [.] Com, maskhealthy [.] Com, etc. (total more than a dozen).



We can display the same information, but presented differently, using Cisco Threat Response, a free incident investigation solution, to which I have already devoted several articles on Habré:



A blitz analysis of data over the past week using Cisco Umbrella Investigate shows that we still have a clear "leader" that accumulates almost 80% of all malicious resources associated with the coronavirus pandemic, the autonomous system AS 197695:



It, in addition to of all the examples described above, in fact, it serves not only the COVID-19 topic, but also many others, which suggests that attackers do not have any preference for the current pandemic. It’s just that they took advantage of an informational occasion and spread malicious code on its wave, lure users to phishing sites and otherwise harm ordinary Runet users.



When the hype around the pandemic subsides, the same infrastructure will be used to promote other topics. For example, the aforementioned infrastructure, the investigation of which began with the site mygoodmask [.] Com, actually only recently began to “promote” the topic of medical masks - before that, it had been engaged in the distribution of phishing mailings about sports events, fashion accessories, including sunglasses and bags, etc. And in this, our cybercriminals are not much different from their foreign colleagues.



Well, the conclusion from this blitz investigation, which I conducted on the night of April 1, will be simple - fraudsters use any, even such as the COVID-19 virus with a high mortality rate, reasons for their activity. Therefore, in no case should you relax and think that the site we visit with the online pandemic distribution card, or the newsletter offering to buy a respirator, or even the social network link leading to the site for teleconferences, are initially safe. Vigilance! This is what helps us increase our security when surfing the Internet. And the Cisco solutions described in this article ( Cisco Umbrella Investigate , Cisco Threat Grid , Cisco Threat Response) help specialists conduct investigations and timely identify the described cyber threats.

PS As for the other day, a topic that popped up about the massive creation of fake sites related to the Zoom online event management system, I haven’t found such resources on RuNet yet, which cannot be said about the rest of the Internet, where a lot of such domains were created.