Highlights


As the Coronavirus pandemic restlessly affects communities across the globe, threat actors keep taking full advantage of people’s fear and anxiety, tricking unsuspecting individuals into opening malicious email attachments, clicking on dangerous links or downloading phony apps. 

Whether onsite or remotely, via personal or corporate devicescareless user could jeopardize self, family, community and organization.  

Social engineering is still a favored tactic with phishing emails offering status updates, information about infected people nearbygeneral financial relief, plane ticket refunds, fake testing kitsvaccines and cures, face masks, digital thermometers, respiratorsopportunities to earn Bitcoins and even a mobile app to stay protected from the biological infection.

While phishing campaigns continue to impersonate:

  • Trusted authorities and healthcare personnel

Security researchers have spotted coronavirus-themed campaigns against:

  • Bank customers

Mobile users need to be mindful of

  • Malicious Android apps stealing their credentials or spying on them

And all that in the midst of targeted attacks against:

  • Government bodies and healthcare facilities
  • Home networking devices
■ Impersonation of trusted authorities and healthcare personnel

Besides malicious domains being registered, threat actors have been reported to host their phishing pages on compromised legitimate government, ecommerce  and other domains such as “hhs.gov” and “masikini.com”.

From: World Health Organization 
Subject: Incomming Secure Document via Dropbox (COVID-19) 

A secure document was sent to you using Dropbox by World Health Organization on protective measures. To view your share document please follow the PDF link below: COVID-19.PDF
View your document


From: Health Care Organization 
Subject: Coronavirus symptoms: what are they and should I see a doctor? 

What is Covid-19? 

It is caused by a member of the coronavirus family that has never been encountered before. The World Health Organization (WHO) has declared it a pandemic. 

What are the symptoms  this coronavirus causes? 

According to the WHO, the most common symptoms of Covid-19 are fever, tiredness and a dry cough. Some patients may also have a runny nose, sore throat.  

How many people have been affected? 

There have been over 13,000 deaths globally. More than 92,000 people are recorded as having recovered from the coronavirus. 
Find and research your medical symptoms 


From: Maria … 
Subject: COVID-19 CONTACT 

You recently came into contact with a colleague/friend/family member who has COVID-19 at ..., please print attached form that has your information prefilled and proceed to the nearest emergency clinic. 

The Ottawa Hospital General Campus

■ Impersonation of banks


Security researchers have recently come across traces of what seem to be 
Coronavirus-themed campaigns targeting Citibank, Scott Bank and Dutch ING Bank clients.

■ Malicious android apps


Unsuspecting users across France, Italy, Spain
, Germany and Canada (among others) are being tricked to download malicious Android apps, pretending to offer updates on the spread of the coronavirus, information about infected people in the area, etc.

Although the apps are mainly distributed via third party websites, security researchers have observed hacked Twitter accounts to be leveraged as well.

Some of the apps bear names such covidMappia_v1.0.3.apk", "covid19_mapa_v1.0.3.apk", "Coronavirus Map_ COVI... (2).apk" and "Covid-Tracker.apk" and CoronaVirus.apk", while other are more subtle – "googleplay.apk" or "ChromeUpdate.apk". The stealthiest ones impersonate trusted authorities (ex. Saudi Health Council) or legitimate apps  such as the one created by the Italian company SoftMining (SM_Covid19).

The apps install information stealers (ex. Cerberus and Ginp banking trojans), spyware (CovidSpy), ransomware (CovidLock) or other malware.

■ Attacks against government bodies and healthcare facilities


M
AZE and RYUK ransomware operators keep targeting hospitals.

Increased registrations for income assistance or DDoS attack took Australia’s myGov portal offline.

■ Attacks against home networking devices


Hackers 
are breaking into D-Link and Linksys routers and changing their DNS settings to point unsuspecting users to coronavirus-related sites pushing malware (ex. Oski trojan information stealer). 

Despite the fact that coronavirus-themed cybercrime is proliferating, individuals and organizations alike need to mindful of other threats such as:  

  • The passwords of more than 125,000 C-level Fortune 1000 executives are available on the criminal underground.  
  • Attackers could use Azure apps to sneak into Microsoft 365.  
  • Hackers are attacking Windows users (all supported versions) with a new unpatched critical bug in how the OS handles and renders fonts

AMATAS continues to monitor this space and will deliver salient information weekly.

■ Sources


Twitter users @malwrhunterteam, @1ZRR4H, @LukasStefanko (malware researcher at ESET), @Spam404Online, @reecDeep

Infosecurity Group, ZDNET, Bleeping Computer, Computer Weekly, Dark Reading, Cyware, Techcrunch, SpyCloud, Helpnet Security, Avast Threat Labs, Kaspersky, ESET, Bitdefender