Get best of the week

How cybercriminals use the coronavirus pandemic for their own purposes

High-profile events have always been an excellent occasion for fraudulent campaigns, and in this sense, the coronavirus pandemic did not become anything special. However, despite the similarities, there are still differences: the universal fear of infection has made the name of the disease a powerful factor in increasing the effectiveness of attacks. We have collected statistics on incidents related to COVID-19, and in this post we will share the most interesting episodes.

image

According to our monitoring, in the first quarter of 2020, spam mails were the main source of coronavirus-related cyberattacks. The number of such emails from February to March increased 220 times: The

image
number of spam emails related to COVID-19

Another malicious area in COVID campaigns was malware sites. During the first quarter, we registered about 50 thousand malicious URLs containing the name of a dangerous infection. From February to March, the number of such sites increased by 260%: The

image
number of malicious URLs associated with COVID-19

Malware developers showed no less activity. For the first quarter, we identified more than 700 varieties of COVID-oriented malvari:

image
Number of malware related to COVID-19

The largest number of attacks fell on the United States, but other infected countries were also attacked.

Let's consider each of these categories in more detail. Let's start with malware, because here we are faced with a rather curious phenomenon: some of the ransomware operators showed an active citizenship and announced that medical institutions would not attack the pandemic.

Malware


The opportunity to profit from a hot topic brought many veterans back to life. For example, a COVID-branded version of the Zeus Sphinx banking Trojan appeared, which was distributed using the distribution of a password-protected Microsoft Word document called “COVID 19 relief”.

image
If the user opened the attachment, entered the password and included macros, Zeus Sphinx was installed on his computer. Source (hereinafter, unless otherwise indicated): Trend Micro

The malware operators AZORult acted more originally: they created a working copy of the Johns Hopkins University website with a distribution map of coronavirus on the domain Corona-Virus-Map.com (now disabled). To receive more operational information, visitors were asked to download the application to the computer.

image
Agreed with the offer of a fake virus spreading site about installing additional software, received on their device AZORult Ransomware

operators were divided into two groups: some of them announced that they would not attack hospitals, hospitals and medical facilities during the pandemic, while the rest continued its malicious activity without any restrictions.
CLOP Ransomware, DoppelPaymer Ransomware, Maze Ransomware and Nefilim Ransomware signed up for the Noble Pirates club, while Netwalker said that they don’t specifically choose hospitals, but if any of them finds their files encrypted, then pay a ransom.
Operators of Ryuk and other ransomware did not make any statements, but simply continued the attack.

image
Users confirm

Ryuk 's continued work despite the pandemic CovidLock Mobile ransomware is distributed through its own website as an apk file to avoid blocking in official application stores.

image
To create the illusion of reliability and quality, CovidLock authors used rating images from the Play Market, as well as logos of the WHO and the Center for Disease Control and Prevention.

The malware authors say that the application allows real-time tracking of coronavirus outbreaks “on your street, in the city and in the state »In more than 100 countries.

And the authors of the Oski malware infosyler used the original way to distribute their application:
• scanned the Internet for vulnerable home routers D-Link and Linksys,
• using vulnerabilities, they gained access to management and changed the settings of DNS servers to their own:

image
When users connected to the routers entered any address in the browser, they were redirected to the scam site, which on behalf of WHO suggested downloading and installing the COVID-19 Inform application. The users who installed the “informer” received the Oski infostiller instead

Mailing lists


The authors of many mailings scare and even blackmail the recipients of their letters to force them to open the attachment and follow other instructions.
Canadian citizens received a newsletter on behalf of Mary, an employee of the medical center. In the letter, Maria said that according to the information received, the recipient of the letter was in contact with a coronavirus patient, so he needed to fill out the attached form as soon as possible and contact the nearest hospital for testing:

image
When the frightened victim opened the attachment, she was asked to allow the execution of macros, after What was installed on the computer infostiller, which collected and sent to the attackers the stored credentials, information about bank cards and crypto wallets

Italy, as one of the leading countries in terms of the number of coronavirus infected, was hit by attackers. We have recorded more than 6,000 mailings related to the pandemic topic.
For example, in one of these campaigns, letters were sent in Italian, in which the sender on behalf of the World Health Organization suggested that the recipient immediately familiarize themselves with coronavirus precautions in the attached document:

image
When opening the document, permission was requested to execute macros, and if the victim gave it, a trojan was installed on the computer

Many mailings have been associated with delivery or postponement due to the spread of the disease. For example, in one of these letters, allegedly sent from Japan, a delivery delay was reported and it was suggested to familiarize yourself with the attached schedule in the attachment:

image
When opening the attachment from the archive, a malicious program was installed on the computer

Fraud Sites


Cybercriminals not only massively registered domains associated with the pandemic, but also actively used them for fraudulent activities.
For example, the completely anecdotal site antivirus-covid19.site suggested downloading and installing the Corona Antivirus application on your computer for protection against infection.
The authors did not disclose the “antivirus” action mechanism, and those who, for some reason, nevertheless downloaded and installed the program, received an unpleasant surprise in the form of the installed BlactNET RAT backdoor.

image
Owners of other sites offered their visitors to order a free coronavirus vaccine, paying only 4 , 95 dollars for delivery

The site coronaviruscovid19-information [.] Com / en invited visitors to download a mobile application for creating a medicine for coronavirus. The application was a banking trojan that steals information about bank cards and credentials of online banking systems.
And the site uk-covid-19-relieve [.] Com imitated the design of government sites in the UK and, under the guise of paying aid to victims of the coronavirus pandemic, collected personal data and information about bank cards.

Associated threats


The authors of many campaigns do not write a word about the coronavirus, but they successfully use the situation that has arisen in connection with the pandemic. This category includes, for example, SMS mailing with a request to pay a fine for violating the self-isolation regime:

image
The authors of the message expect that one of the recipients has really violated the regime and will readily fulfill the requirements. A

universally introduced quarantine has led to a lot of people working remotely, resulting in an explosive growth in the popularity of video conferencing applications, which cyber fraudsters were not slow to take advantage of. For example, since the start of the COVID-19 pandemic, more than 1,700 malicious Zoom domains have been registered.

image
Some of these sites offered to install a client for a popular service, but instead of it, victims received InstallCore malware, with which attackers downloaded additional sets of malicious utilities onto their computers.

Many services offered premium subscriptions to everyone for a pandemic period, and they were not slowed down by this generosity Take advantage of scammers.
The campaign began by sending a message to Facebook Messenger, offering in connection with quarantine within 2 months to get free access to Netflix Premium. If the user was logged into the Facebook account and followed the link, he received a request for access from the Netflix application. Otherwise, the user was asked for credentials to enter the social network, and after a successful login, he was redirected to the page with the permission request. When the user agreed to continue, a fraudulent page was opened with the “Netflix offer” and a survey that must be completed to receive a gift:

image

The survey contains random questions and accepts any answer that the user enters. At the end of the survey, the user is offered to share the site with twenty friends or five groups in order to receive a “premium subscription”

No matter what button the user clicks at the end of the survey, they will be redirected to a page requesting access to Facebook. At this step, it is again proposed to share a malicious link with your contacts.
To make this process easier, fraudsters even create a post, so the victim who compromised his credentials can only press a button to publish.

Be vigilant to defend yourself


Criminals actively use the pandemic theme in fraudulent campaigns. To counter them, the following recommendations must be observed:

  1. Do not follow links from unfamiliar senders and do not share them with your friends,
  2. check the legitimacy of the source of information,
  3. check the URL of the site that asks you for any information,
  4. Do not enter personal and account information, as well as payment information on unverified sites.

Pandemic Trend Micro Position


We understand that the situation is developing rapidly, and new data arrives every day, therefore we constantly update our information in order to invariably provide the highest class services that customers, partners and suppliers expect from us.

So that the crisis due to the COVID-19 virus does not affect the usability of Trend Micro products, we take care of the safety of our employees:

  • follow the instructions of local authorities in all countries;
  • work remotely;
  • limited movement;
  • We are vigilant and use protective equipment.

We are optimistic about the future and believe that the current difficult situation will help introduce new ways of working together and other innovations, which will ultimately make our lives safer.

More articles:


All Articles