These attackers have been trying to exfiltrate Personal Identifiable Information (PII) and steal money from groups supported by governments and healthcare organizations, including hospitals, thus taking advantage of this unique and critically vulnerable moment. Malicious campaigns impersonating health organizations have been recorded. These organizations play a significant role in the fight to prevent the pandemic; this means that various malicious groups are abusing these legitimate services to bait victims seeking vaccines and medicines into clicking and executing malicious software.
COVID-19 fraud doesn’t just cover a small piece of malware, but a large group of malicious activities that aim to deceive victims at this moment. Below is an Android application equipped with malware that mimics a COVID-19 real-time dashboard. Figure 1: COVID-19 Android malware tracker These kinds of malicious applications have been disseminated around the world with the goal of infecting the largest number of users. In other scenarios, criminals advertised a fake product to carry out rapid COVID-19 diagnostic testing at home. Figure 2: Phishing campaign advertising a COVID-19 rapid test
The plan of attack
Criminals are now using an array of different attacks to cause damage to organizations and victims. These range from phishing attacks to mobile and traditional malware (Windows-based) and even taking advantage of video-conferencing applications to obtain details or to use recent known vulnerabilities against target users or organizations.
Phishing campaigns
The methods criminals are using are not novel. For example, phishing campaigns are initiated via newly registered domains with the names of organizations, hospitals, medicines, vaccines, banks and so on, always with the name “COVID19” or “coronavirus” as part of the domain. This is an attempt to convince victims that the ongoing malicious campaign is completely legitimate and is potentially being distributed by the organization it claims to be. The following table shows some examples of domains involved in this threat (April 2020). Figure 3: Fake domains related to COVID-19 (April 2020) The campaign usually starts with social engineering, with the following scenarios and calls to action being executed in later stages:
Acquire fake products (masks, vaccines and medicines) Signing up on malicious websites (credential theft) Installing malicious Android applications that are then used to steal information from the device and assist in the two-factor authentication mechanism Installing malware on devices, usually Windows; several types of malware have been noted, including the infamous Emotet and Ryuk (ransomware)
Figure 4: Multiple campaigns ongoing using COVID-19 templates
Phishing evolving into malware
As previously described, malware such as Emotet and Trickbot has used COVID-19 templates to reach a greater number of victims. This usually begins with an attempt to use malware and turns into ransomware scenarios, where criminals encrypt victims’ data and demand a ransom. Through abuse.ch, it is possible to see from a global perspective that COVID-19 templates have been equipped with other known threats. Other malware samples, including AgentTesla, NanoCore, Formbook, MetaMorfo and HawkEye have been observed in the past few days. Figure 5: Malware using the COVID-19 template (from abuse.ch) The usage of mobile malware to attack Android devices such as COVID-19 trackers is one of the biggest problems now, with an infection rate far superior to traditional malware. In this case, criminals disseminate COVID-19 trackers, malicious APKs that aim to filter information from victims’ devices and keep the device under attackers’ control. In some cases, these applications carry a ransomware module that encrypts the entire contents of the victim’s device. The attack scenario consists of a few steps:
The victim is asked to download the COVID-19 tracker outside the Google Play store After its installation, the malware blocks the device and requires a ransom of around USD $100 in bitcoin
Take advantage of social networks
In the current situation, most businesses are closed and the employees are provided with options to work from home. RDP and video communication platform usage are high. This can be a critical problem from the security point of view when the correct controls are not put in place. Many times, users share links of private meetings on social networks such as LinkedIn, Facebook or even in public chats/groups on Telegram and WhatsApp. This can be dangerous: malicious authors take advantage of users’ facilities to collect very sensitive information on the meeting subject and about organizations. One of the last examples is a large data breach of Zoom — a video conferencing software. Researchers from IntSights discovered a shared database containing more than 2,300 usernames and passwords of Zoom accounts in dark web forums. In addition, the database includes details of Zoom accounts such as email and password. Others included meeting IDs, names and host keys. Figure 6: Zoom accounts published in dark web forums (April 2020) [CLICK TO ENLARGE] Several posts were spotted asking for details on how to gain access into Zoom conferences. Some threats focused on Zoom checkers and credential stuffing. One user, for instance, suggested a specific configuration of OpenBullet. OpenBullet is a web testing suite that allows performing various tests on targeted web applications. Figure 7: User suggestion of how to take advantage of Zoom software The user further added that with the configuration, attackers can capture meeting URLs, host keys, full names, meeting IDs and account types.
Protection measures
Security must be seen as an ongoing process. For example, improving security with MFA, including physical tokens, mobile and biometrics are seen as great options to add extra security layers. Some protection measures are listed below:
Do not install mobile applications (Android and iOS) that are not trusted and made available by the manufacturers’ official stores If you are looking for information about COVID-19 and want to keep up to date on the topic, consult the websites of credible sources, such as the WHO Install antivirus software and keep it updated Keep the operating system updated (install all requested patches) Think before you click. As a rule of thumb, never open an email attachment from a person or a company that you do not know. And even if you do know the person, be aware if the subject looks suspicious. Consider contacting that person by phone to confirm When using video conferencing software, users shouldn’t make the meetings public or share the meeting links in social media. Make sure that your meetings have a password enabled Last but not the least, take multiple backups of your data to avoid a critical online-offline disaster.
Think first before executing something strange. Opening an email and responding or clicking on a link may take just 20 seconds, but it could mean serious trouble.
Sources
Coronavirus Scam Alert: COVID-19 Map Malware Can Spy On You Through Your Android Microphone And Camera, Forbes URLhaus Database, Abuse.ch Threat Report: Emotet Triple Chain Analysis 2019 – Portugal, Segurança-Informática Password found to rescue victims of malicious COVID-19 tracker app, SC Media Emotet disseminated via COVID-19 campaigns, Seguranca-Informática Zooming in on the Target: Cybercriminals Automate Attacks Against Remote Workers, IntSights