As the Coronavirus pandemic restlessly affects communities across the globe, threat actors keep taking full advantage of people’s fear and anxiety, tricking unsuspecting individuals into opening malicious email attachments, clicking on dangerous links or downloading phony apps. 

Whether onsite or remotely, via personal or corporate devices, a careless user could jeopardize self, family, community and organization.  

Social engineering is still a favored tactic with phishing emails offering status updates, information about infected people nearby, general financial relief, plane ticket refunds, fake testing kits, vaccines and cures, face masks, digital thermometers, respirators, opportunities to earn Bitcoins and even a mobile app to stay protected from the biological infection.

While phishing campaigns continue to impersonate:

  • Trusted authorities and healthcare personnel

Security researchers have spotted coronavirus-themed campaigns against:

  • Bank customers

Mobile users need to be mindful of

  • Malicious Android apps stealing their credentials or spying on them

And all that in the midst of targeted attacks against:

  • Government bodies and healthcare facilities
  • Home networking devices
■ Impersonation of trusted authorities and healthcare personnel

Besides malicious domains being registered, threat actors have been reported to host their phishing pages on the compromised legitimate government, eCommerce and other domains such as “hhs.gov” and “masikini.com”.

From: World Health Organization 
Subject: Incoming Secure Document via Dropbox (COVID-19) 

A secure document was sent to you using Dropbox by World Health Organization on protective measures. To view your share document please follow the PDF link below: COVID-19.PDF
View your document

From: Health Care Organization 
Subject: Coronavirus symptoms: what are they and should I see a doctor? 

What is Covid-19? 

It is caused by a member of the coronavirus family that has never been encountered before. The World Health Organization (WHO) has declared it a pandemic. 

What are the symptoms this coronavirus causes? 

According to the WHO, the most common symptoms of Covid-19 are fever, tiredness and a dry cough. Some patients may also have a runny nose, sore throat.  

How many people have been affected? 

There have been over 13,000 deaths globally. More than 92,000 people are recorded as having recovered from the coronavirus. 
Find and research your medical symptoms 

From: Maria … 
Subject: COVID-19 CONTACT 

You recently came into contact with a colleague/friend/family member who has COVID-19 at ..., please print the attached form that has your information prefilled and proceed to the nearest emergency clinic. 

The Ottawa Hospital General Campus

■ Impersonation of banks
Security researchers have recently come across traces of what seem to be Coronavirus-themed campaigns targeting Citibank, Scott Bank and Dutch ING Bank clients.
■ Malicious Android apps
Unsuspecting users across France, Italy, Spain, Germany and Canada (among others) are being tricked to download malicious Android apps, pretending to offer updates on the spread of the coronavirus, information about infected people in the area, etc.

Although the apps are mainly distributed via third party websites, security researchers have observed hacked Twitter accounts to be leveraged as well.

Some of the apps bear names such as “covidMappia_v1.0.3.apk", "covid19_mapa_v1.0.3.apk", "Coronavirus Map_ COVI... (2).apk" and "Covid-Tracker.apk" and CoronaVirus.apk", while other are more subtle – "googleplay.apk" or "ChromeUpdate.apk". The stealthiest ones impersonate trusted authorities (ex. Saudi Health Council) or legitimate apps such as the one created by the Italian company SoftMining (SM_Covid19).

The apps install information stealers (ex. Cerberus and Ginp banking trojans), spyware (CovidSpy), ransomware (CovidLock) or other malware.

■ Attacks against government bodies and healthcare facilities

MAZE and RYUK ransomware operators keep targeting hospitals.

Increased registrations for income assistance or DDoS attack took Australia’s myGov portal offline.

■ Attacks against home networking devices

Hackers are breaking into D-Link and Linksys routers and changing their DNS settings to point unsuspecting users to coronavirus-related sites pushing malware (ex. Oski trojan information stealer). 

Despite the fact that coronavirus-themed cybercrime is proliferating, individuals and organizations alike need to be mindful of other threats such as:  

  • The passwords of more than 125,000 C-level Fortune 1000 executives are available on the criminal underground.  
  • Attackers could use Azure apps to sneak into Microsoft 365.  
  • Hackers are attacking Windows users (all supported versions) with a new unpatched critical bug in how the OS handles and renders fonts. 

AMATAS continues to monitor this space and will deliver salient information weekly.

■ Sources

Twitter users @malwrhunterteam, @1ZRR4H, @LukasStefanko (malware researcher at ESET), @Spam404Online, @reecDeep

Infosecurity Group, ZDNET, Bleeping Computer, Computer Weekly, Dark Reading, Cyware, Techcrunch, SpyCloud, Helpnet Security, Avast Threat Labs, Kaspersky, ESET, Bitdefender

Konstantina Kostadinova in AMATAS