Cybercriminals have always used crises and natural disasters to fuel their social engineering activities. The COVID-19 (Coronavirus) pandemic is a massive human crisis, and criminals have been quick to take advantage. People are afraid, and fear is a primary social engineering tool.
Researchers from Cybereason Nocturnus have been tracking the rise and variety of such attacks, which now include phishing, fake apps and ransomware. Phishing has followed the spread of COVID-19 infections, fake apps are targeting the growing number of home workers, and ransomware is targeting healthcare organizations.
Like the virus itself, phishing campaigns started in China aimed primarily at Chinese-speaking targets. As the virus spread worldwide, so the campaigns followed to Japan, South Korea, Europe and other infected areas. South Korea was one of the first infected countries, and was quickly targeted by multiple coronavirus-themed phishing attacks. Other attacks included scareware pretending to be ransomware.
As the pandemic spread to Europe, so followed the criminals; especially to Italy and Italian speakers. Typically, their phishing emails would pretend to come from health officials offering health advice on the virus. One found in the U.S. claims to be ‘Distributed vis [clue!] the CDC Health Alert Network’.
Most commonly, say the Nocturnus researchers, “an array of malware was distributed by these ‘coronavirus’ campaigns, including Emotet, RemcomRAT, ParallaxRAT, HawkEye, TrickBot, Agent Tesla and more.”
Beyond phishing, criminals have targeted home workers with fake apps offering coronavirus information, and false VPNs taking advantage of corporate advice to stay home and use VPNs. Reason Labs’ Shai Alfasi found a fake ‘coronavirus map’ (Corona-virus-Map.com.exe) offering information on the spread of the pandemic, but hiding an AZORult-related infostealer.
The Nocturnus team found a fake website (fil24[.]xyz) claiming to provide various legitimate VPN installers and installers for other programs like Facebook and Instagram. Attempts to download a VPN, however, simply leads to f444[.]xyz and malware.
There is also an ongoing campaign leveraging a multi-lingual malicious website with a fake World Health Organization app. The app is titled, ‘Ways to Get Rid of Coronavirus’, adding the social engineering triggers of trust and authenticity to the fear trigger. The app doesn’t get rid of Coronavirus, it simply infects the user with the Cerberus banking trojan.
While much of the current activity is directed against individuals, organizations are also targeted — especially when an APT is behind the campaign. Check Point found an APT campaign targeting the Mongolian public sector, while Malwarebytes reported on a Pakistan-based APT36 campaign using fake Indian government emails to probably target Indian entities.
Ransomware is being used against organizations and individuals. On March 16, 2020, CyberArk security researcher Shaked Reiner reported a new ransomware actually called CoronaVirus, being distributed via a fake website (WiseCleaner[.]best) that pretends to be the legitimate WiseCeaner.com. The fake website downloads both the Kpot information stealer and the CoronaVirus ransomware.
On March 13, 2020, it was reported that the Czech Republic’s second-largest hospital, the University Hospital Brno, which has a major COVID-19 research laboratory, was hit by ransomware. “Due to the malware attack,” comments Nocturnus, “the entire IT network of the clinic was shut down, affecting additional departments across the hospital.”
Healthcare institutions are a prime target during healthcare crises. “Healthcare workers are an easy target during times of crisis,” comments Nocturnus. “This makes them a prime target for phishing attacks, and unfortunately, we expect attackers will continue to take advantage of the situation and continue to target healthcare organizations with destructive attacks.”
The coronavirus pandemic has spawned a coronavirus malware epidemic, where everyone and every organization is a potential target.