‘[F]Unicorn’ Ransomware Impersonates Legit COVID-19 Contact-Tracing App

[f]unicorn ransomware contact tracing

The new malware family was seen pretending to be an official Italian app, called Immuni.

A fresh ransomware strain known as “[F]Unicorn” has emerged, first seen this week targeting users by pretending to be an official government COVID-19 contact tracing app.

According to an advisory from the Computer Emergency Response Team (CERT) from the Agency for Digital Italy (AgID), the malware family is taking advantage of the rollout of “Immuni” – Italy’s official coronavirus-tracking app. The beta version is rolling out across the country, which was one of the hardest-hit coronavirus hotspots; it works constantly in the background by beaconing a Bluetooth Low Energy signal to other devices. The idea is to alert users if they have been close to an infected person.

The [F]Unicorn sample (flagged for CERT by security researcher JamesWT_MHT and analyzed by Dottor Marc) is spreading as a fake Immuni app housing a malicious executable, purporting to be from the Italian Pharmacist Federation (FOFI).

“[Distribution] relied on emails informing users of a PC beta release of Immuni, Italy’s COVID-19 contact tracing app, for distribution,” explained researchers at Tripwire, in a short analysis on Wednesday. “Those attack emails leveraged typoquatting techniques to trick users into clicking on a download link for the advertised app.”

Dottor Marc’s analysis meanwhile noted that the email invites the user to download the infected file from the www[.]fofl[.]it site, “which is nothing more than the identical copy of the official website of the FEDERAZIONE ORDINI FARMACISTI ITALIANI made on 3 May 2020.” Researchers there also noted that this particular download site has been blocked by the hosting service.

The email reads:

Once [F]Unicorn is installed on a user’s phone, if the person opens the app, two things happen: One, the user sees a convincing fake dashboard with supposed COVID-19 information collected by the Center for Systems Science and Engineering at Johns Hopkins University. Secondly, the malware executes in the background, setting about encrypting user data. Once its work is complete, it surfaces a ransom note to the victim, asking for 300 Euros in exchange for the decryption key.

Oddly, [F]Unicorn’s ransom note is far from straightforward, and includes sign-of-the-times references to Greek gods. It references Prometheus, the bringer of scientific knowledge to mankind in Greek myth, and Asclepius, Greek god of physicians, whose serpent-entwined staff is the symbol of medical practice everywhere (the caduceus).

The note, obtained by Dottor Marc, reads:

“The long snake on Asceplio’s [sic] staff has rebelled, and a new era is about to come! This is your chance to redeem yourself after years of sins and abuses.

“It’s up to you to choose. Within 3 days the pledge to pay you will have to or the fire of Prometheus will cancel your data just as it has wiped out the power of Gods over men. The pledge is only 300 euros, to be paid with Bitcoins at the following address: 195naAM74WpLtGHsKp9azSsXWmBCaDscxJ after you have paid, an email to send us you will. xxcte2664@protonmail[dot]com the transaction code will be the proof.

“After the paid pledge you will receive the solution to put out Prometheus’ fire. Go from police or calling technicians will be of no use, no human being can help you.”

Tripwire researchers noted that the email is invalid, meaning that victims can’t contact the operators with a proof of payment. That leaves them without a way to get a decryption key directly from the cybercriminals. However, “CERT-AgID found that those behind [F]Unicorn received the password responsible for encrypting a user’s data in cleartext,” researchers said. “Victims could thus leverage network traffic logs to intercept this password and decrypt their information for free.”

Dottor Marc researchers said that the operators behind [F]Unicorn are likely novices.

“There are many factors that can indicate that the origin of this virus that encrypts files are novice criminals, with little technical knowledge, but at the same time no fear in spreading a threat that could have a major social impact,” they wrote. “The virus code appears to be a copy-paste of other ransomware previously seen. The diffusion was scarce and the fraudulent domain, hosted by German servers, was immediately suspended.”

Ransomware continues to proliferate, as do attacks tied to the ongoing COVID-19 pandemic. The coronavirus lure is in fact being utilized by bad actors daily to convince unwitting victims to open malicious documents, click on suspicious links or hand over their credentials. Last week, cyberattackers were seen using malicious Excel 4.0 documents to spread a weaponized NetSupport RAT in a spear-phishing campaign. And in a separate alert last week by Microsoft’s security team, emails on May 18 purporting to offer a “free COVID-19 test” were actually spreading the TrickBot trojan.

Contact-tracing is likely to be a continuing lure as well, as the apps begin to roll out. They have drawn a slew of controversy over privacy concerns, even as contact tracing has emerged as a top idea for dealing with the coronavirus pandemic and is considered by many to be an important step towards reopening economies worldwide.

The National Health Service (NHS) in the U.K., the state of Utah and a Google/Apple approach have all made news of late, thus offering cybercriminals a new social-engineering topic.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.


Suggested articles