Spread of Coronavirus-Themed Cyberattacks Persists with New Attacks

In cybersecurity circles, the Coronavirus is spurring anxiety over the virtual abuse of the deadly disease by scammers.

As the coronavirus blows up into a worldwide pandemic, threat actors continue to exploit the disease to spread malware. Just this week, cybersecurity professionals identified a bevy of new threats ranging from coronavirus-themed malware attacks, booby-trapped URLs and credential stuffing scams.

On Tuesday, researchers reported two malware campaigns connected to the coronavirus: One that uses a phishing email to spread Remcos RAT and malware payloads and the other using a Microsoft Office document to drop a backdoor onto a victim’s computer.

One campaign is in the form of a phishing email with a PDF offering coronavirus safety measures, according to research from ZLab-Yoroi Cybaze. Instead, the PDF–named “CoronaVirusSafetyMeasures_pdf“–includes executables for a Remcos RAT dropper that runs together with a VBS file executing the malware, researchers said.

The sample analyzed by researchers showed unique sophistication in its ability to avoid detection by typical firewall protections, ZLab-Yoroi Cybaze researchers observed in a post on the threat.

“It established a TLS protected connection to a file sharing platform named ‘share.]dmca.]gripe,’ possibly to avoid reputation warnings raised by next-gen firewalls,” researchers wrote in the post.

Victims are instructed to download the document from the “censorship-free” file-sharing service, which then installs two executable files in the “C:\Users\<username>\Subfolder” system directory on a victim’s computer. A VBScript then becomes the launching point to run the executables, researchers said.

Another new email campaign discovered by the MalwareHunterTeam includes a three-page coronavirus-themed Microsoft Office document purported to be from the Center for Public Health of the Ministry of Health of Ukraine, researchers said.

Instead of offering legitimate information, the document contains malicious macros that can drop a backdoor with capabilities such as clipboard stealing, keylogging, and the ability to lift screenshots from a victim’s computer, according to the MalwareHunterTeam.

Check Point reported on Thursday, “Since January 2020, based on Check Point Threat Intelligence, there have been over 4,000 coronavirus-related domains registered globally. Out of these websites, 3 percent were found to be malicious and an additional 5 percent are suspicious. Coronavirus- related domains are 50 percent more likely to be malicious than other domains registered at the same period.”

Researchers at Cofense, on Wednesday, said they observed a new phishing campaign that pushes fake messages from The Centers for Disease Control (CDC) that the coronavirus has “officially become airborne” and there “have been confirmed cases of the disease in your location.”

The email, which researchers said is a “good forgery,” contains a phishing kit that tempts recipients to click on a URL that appears to be a legitimate CDC link to learn more about the localized coronavirus threat. Embedded behind link is one of three malicious redirects used by attackers that take victims to one of several top-level domains (.com.au) that each use a SSL certificate.

“Users will be presented with a generic looking Microsoft login page upon clicking the link,” according to researchers. “The recipient email address is appended within the URL, thus automatically populating the login box with their account name. The only thing for the user to provide now is their password. Upon doing so, the user is sent to the threat actor.”

If credentials are entered into the site, the user is then sent to the legitimate CDC website.

Threat actors began leveraging news of the coronavirus to spread malware in January through a spate of malicious, botnet-driven emails that used the virus as a theme, according to researchers from IBM X-Force and Kaspersky.

Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles