Get best of the week

Cyber ​​attacks using COVID-19



The coronavirus pandemic COVID-19 is used as a decoy in malicious campaigns using social engineering techniques, including spam, malware, encryptors and malicious domains. As the number of infections increases by thousands, the corresponding malicious campaigns are also gaining momentum. Specialists are constantly finding new examples of such malicious campaigns associated with coronavirus.

UFO Care Minute


COVID-19 — , SARS-CoV-2 (2019-nCoV). — , /, .



, .

, , .

: |

Coronavirus spam PandaLabs

experts found sending and receiving spam emails related to coronavirus almost worldwide, including countries such as the USA, Japan, Russia and China. Many of these letters, which look like they were sent from official organizations, state that they contain updated information and recommendations regarding the pandemic. Like most spam campaigns, they also contain malicious attachments.

One example is spam with the subject line of Corona Virus Latest Updates, allegedly sent by the Ministry of Health. It contains recommendations on how to prevent infection, and the letter contains an attachment that supposedly contains updated information about the coronavirus COVID-19. In fact, it contains malware.



Other spam messages about coronavirus are related to food supplies that were disrupted by the spread of infection.



The following Italian spam sample contains important information about the coronavirus:



This Portuguese letter promises new information about the
proposed vaccine against COVID-19.



There have been cases where anti-coronavirus drugs were mentioned in the subject of spam emails to try to get people to download malicious attachments. Sometimes such a malicious attachment is HawkEye Reborn , a variant of the HawkEye Trojan that steals information.



Indicators compromise for malicious attachments


SHA-256
b9e5849d3ad904d0a8532a886bd3630c4eec3a6faf0cc68658f5ee4a5e803be



In this case, the indicators are compromised:



SHA-256
6cc5e1e72411c4f4b2033ddafe61fdb567cb0e17ba7a3247acd60cbd4bc57bfb
7c12951672fb903f520136d191f3537bc74f832c5fc573909df4c7fa85c15105

Another spam campaign targeted users in Italy, a country that was hit hard by the pandemic. The subject and body of the letters contain the text “Coronavirus: important information on precautions”. The body of the letter states that the attachment in the letter is a document from the World Health Organization (WHO), and therefore it is strongly recommended that you download this attached Microsoft Word document, which contains a Trojan.



When the user opens this document, the following message is displayed, forcing the user to enable macros: SHA-256



compromise indicators (IOC) dd6cf8e8a31f67101f974151333be2f0d674e170edd624ef9b850e3ee8698fa2






Malware coders and associated Coronavirus

The service 100% classification antivirus laboratory PandaLabs was able to identify and block these malicious executable files associated with these campaigns:



CORONA VIRUS AFFECTED the AND CREW VESSEL.xlsm
ab533d6ca0c2be8860a0f7fbfc7820ffd
595edc63e540ff4c5991808da6a257d
17161e0ab3907f637c2202a384de67fca 49171c79b1b24db7c78a4680637e3d5
315e297ac510f3f2a60176f9c12fcf9 2681bbad758135767ba805cdea830b9ee

CoronaVirusSafetyMeasures_pdf.exe
c9c0180eba2a712f1aba1303b90cbf12c11 17451ce13b68715931abc437b10cd
29367502e16bf1e2b788705014d0142
d8bcb7fcc6a47d56fb82d7e333454e923

LIST OF CORONA VIRUS
E6e381cacc7291e501f4eed57bfd2 3f40d4a0d0fe1eea58fa1c71308431b5c2c
3e6166a6961bc7c23d316ea9bca87d82 87a4044865c3e73064054e805ef5ca1a

VICTIM.exe
b78a3d21325d3db7470fbf1a6d254e23d34 9531fca4d7f458b33ca93c91e61cd

Other researchers have seen how cyber criminals use online card monitoring coronavirus disease, replacing them feykovye websites from which it downloads and installs malware. Below are the hashes of malicious applications:



2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307
0b3e7faa3ad28853bb2b2ef188b310a67663a96544076cd71c32ac088f9af74d
13c0165703482dd521e1c1185838a6a12ed5e980e7951a130444cf2feed1102e
fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8
126569286f8a4caeeaba372c0bdba93a9b0639beaad9c250b8223f8ecc1e8040

A new version of the ransomware CoronaVirus used for its distribution a fake site to optimize the system. Victims unknowingly downloaded the WSGSetup.exe file from this site. Then this file worked as a downloader for two types of malware: the CoronaVirus ransomware and the Trojan Kpot password stealer .

This campaign is part of the latest trend among cryptographers: it combines data encryption with information theft.

Moreover, another ransomware called CovidLoc was noticedk, now affecting mobile users. This ransomware came from a malicious Android application that supposedly helps to track COVID-19 infections.

The ransomware blocks his victim’s cell phone, giving him only 48 hours to pay a ransom of $ 100 in bitcoins to restore access to his device. Otherwise, the victim is threatened to delete all data from the phone and steal the data of their accounts on social networks.

Coronavirus Related Domains



In addition, the number of domain names that use the word “corona” in their name has increased markedly . Below we list the following malicious domains:

  • acccorona [.] com
  • alphacoronavirusvaccine [.] com
  • anticoronaproducts [.] com
  • beatingcorona [.] com
  • beatingcoronavirus [.] com
  • bestcorona [.] com
  • betacoronavirusvaccine [.] com
  • buycoronavirusfacemasks [.] com
  • byebyecoronavirus [.] com
  • cdc-coronavirus [.] com
  • combatcorona [.] com
  • contra-coronavirus [.] com
  • corona-blindado [.] com
  • corona-crisis [.] com
  • corona-emergencia [.] com
  • corona explicada [.] com
  • corona-iran [.] com
  • corona-ratgeber [.] com
  • coronadatabase [.] com
  • coronadeathpool [.] com
  • coronadetect [.] com
  • coronadetection [.] com


How these attacks work

The fact is that all these attacks use penetration vectors, which can be considered “traditional”. All these vectors can be closed by traditional antivirus solutions to protect end devices. In this case, PandaLabs uses the following mechanisms to detect and block threats:

• A 100% classification service that classifies each binary file and only allows those who are checked by a cloud system with artificial intelligence
• EDR technologies, and especially the indicator detection system Attacks (IoA) by behavior and context .

From what we see, the most common example of attacks are spam emails using social engineering technologies. Such letters contain a dropper that loads the binary file here:

C: \ Users \ user \ AppData \ Local \ Temp \ qeSw.exe
Hash: 258ED03A6E4D9012F8102C635A5E3DCD Panda

solutions detect the dropper as Trj / GdSda.A This binary file encrypts the computer (process: vssadmin. exe) and removes shadow copies using the conhost.exe process. Official sources of IoC The Spanish National Cryptographic Center has an exhaustive list of indicators of compromise (IoC) at the level of hashes, IP addresses and domains: www.ccn.cni.es/index.php/en .






Information is available here:
loreto.ccn-cert.cni.es/index.php/s/oDcNr5Jqqpd5cjn

How to protect yourself from these and other cyber threats

Thanks to the 100% classification service, which classifies all binary files before they are launched and blocks the launch of any malicious binary files, endpoint protection solutions with advanced protection options are very effective in stopping malicious campaigns like many others.

The service uses a highly efficient mechanism to detect and remove malware and ransomware before they are launched, regardless of whether they are new threat options or new malicious domains, as is the case with malicious objects associated with COVID-19.

Behavioral and contextual attack indicators (IoA)Detect and block unusual patterns of behavior on protected devices: for example, downloading an executable file from Word or trying to access unknown or malicious URLs. Any attempt to compromise the device is immediately blocked, and the execution of malicious actions and connection to malicious domains is stopped.

More articles:


All Articles