At Sentinel Labs, we have been closely tracking adversarial behavior as it pertains to COVID-19/Coronavirus. To date, we have observed a significant number of malware campaigns, spam campaigns, and outright scams that are preying on the fears and uncertainties of the global population.
Updates are tagged in-line with respective dates within each section of this post.
[April 14, 2020] In mid-April, we observed a short-lived COVID-themed ransomware attack. Spam email messages, containing COVID-themed malicious word documents were used to drop a ransomware payload based on HiddenTear (open source ransomware)
Once opened, the document drops the ransomware into ~\AppData\Local\ and executes it. When executed the ransomware attempts to contact the C2 server for additional components (desktop image) and communicates data on the victim host. Encrypted files are renamed with a “.locked20” extension.
[April 14, 2020] HiddenTear is a long-standing open source ransomware framework. SentinelOne Endpoint Protection detects and prevents all malicious activities associated with this threat.
[April 14, 2020] In early April, several Android-focused campaigns were observed spreading the Anubis and Cerberus banking trojans to victims seeking additional information on Coronavirus in their area. Many were specifically targeted towards users in Italy and China. The malicious apps claim to track and inform users of COVID-specific updates for their region (a very common lure). Often times, the data in the app will be legitimate (redirection) but the app will request permissions beyond what is needed or required, allowing it to exfiltrate personal data to the remote location of their choice.
[April 14, 2020] In late March, a wide-spread phishing campaign was observed using COVID-themed email messages masquerading as notifications from the “Department of Health”. The email messages contained a malicious link which leads victims to a page designed to harvest Outlook/Office credentials. Email sender and subject examples are below:
- Sender: “Department of Health” <department[.]health-pandemic[@]zacks[.]com>
- Subject: “HIGH ALERT: COVID-19 cases surpassed 300,000 globally”.
[April 14, 2020] Fake charity and donation scams have become more and more frequent since the onset of the pandemic. Criminals are constantly pivoting though COVID-themed lures while preying on the fear and uncertainty looming over the population. An example of one such scam (“Lina Charity Foundation”) can be seen below. These messages are distributed en masse. In the example below, we have removed the supplied banking details. The groups behind these do often include these details (Bank name, Address, Swift codes, IBAN numbers) in order to enable their victims to complete the fraudulent donations / transfers.
[April 6, 2020] In early-to-mid-March 2020, Redline Stealer was distributed via a spam campaign using Coronavirus-themed lures. Victims were enticed into downloading and installing a trojanized version of the “Folding@home” client software.
[April 6, 2020] When choosing to download the malicious software, users are presented with the trojanized “foldingathomeapp.exe” executable. Redline Stealer is a well-known commodity malware which can pilfer browser information, credential sets, as well as user and system information.
Throughout March 2020, the Qbot banking trojan was distributed via aggressive spam campaigns. Victims are enticed via messages which claim to link to refreshed PPE supplies (ex: masks & gloves). When following the malicious links, users are led to the Qbot trojan in either EXE or ZIP archive form.
[April 6, 2020] Attackers have been leveraging the United States Stimulus Relief package to entice users into following malicious links which ultimately lead to leakage of personal data in multiple forms. We have observed email and SMS-based campaigns which offer updated information around the stimulus bill, or promise short term loans with the victims expected stimulus to be used as collateral.
These attacks are ongoing and we encourage users to be extra cautious when interacting with COVID-related emails and SMS/TXT messages.
[Update April 1, 2020] On April 1st, a new, multifaceted, malware emerged which leverages the Coronavirus in an attempt to target the emotions of their victims. When executed, the dropper will deposit numerous scripts and dependent files. The threat then proceeds to make a number of configuration changes which negatively affect the security posture of the infected host. The infection routine requires a reboot due to the changes to UAC. After reboot, additional payloads are executed, resulting in the display of an image of the Coronavirus adorned with additional messages following the theme.
In some scenarios, an additional payload will execute which is responsible for overwriting the machine’s MBR (Master Boot Record). The user is then presented with a simple message on a dull grey background, with their access to local data restricted.
Note: SentinelOne Endpoint detects and prevents all artifacts and behaviors associated with Wiper.coronavirus
Malware authors are continuing to utilize COVID/Coronavirus as a lure. We have seen ongoing activity from the malware families outlined in this original post, including AdWind, LokiBot, NetSupport RAT, Tesla Keylogger, and Kpot. We have also observed additional malware families joining in on the exploitation of fear around COVID-19.
[March 31, 2020] Coronavirus-themed email messages are used to spread the Hawkeye trojan. Hawkeye is a long-standing credential stealing trojan. In recent campaigns users are targeted via spam messages claiming a “cure” in China and Italy (ex: CORONA VIRUS CURE FOR CHINA, ITALY)
[March 31, 2020] Actors behind the Metamorfo (Casbaneiro) trojan launched a COVID-19-themed spam campaign to spread their malware. Similar to other uses of this lure, victims are enticed to follow a malicious link to receive “more or updated information” on COVID-19 in their region. The malicious links lead to a malicious MSI installer which downloads additional malware and establishes persistent C2 communications.
[March 31, 2020] Coronavirus-themed email campaign used to spread the Nanocore trojan. Victims are enticed with misinformation tied to an update on COVID-19 vaccines. Malicious downloads are named following this theme (ex: “Covid-19 Vaccine.gz”)
[March 31, 2020] Late in March, we observed the Sphinx banking trojan, which is largely based on leaked source code for Zeus, began to aggressively spread via email with COVID-themed messages. In some observed cases victims were enticed to complete a form related to receiving government assistance during the outbreak. The malicious document then proceeds to drop and execute a VBS script. This script establishes C2 communication channels, and downloads additional executable payloads. Beyond the COVID-themed lures, the functionally is largely unchanged with regards to data inception via web injects.
In mid-March 2020, a new family of Android ransomware, CovidLock, began targeting users via malicious app (APK) downloads. The malicious apps were hosted on sites masquerading as hosts for valid real-time information tracking apps. Upon infection, the ransomware tricks users into providing full device control via misleading permissions request dialogs. The malware sets itself to load upon device startup and leads to a lock-screen style ransom request. This specific family utilizes Pastebin to aid in the construction of the displayed ransom notes.
In early March 2020, the APT group Mustang Panda (China) utilized multiple spam campaigns to deliver implants. Spam messages made use of multiple COVID-19-themed lures. Malicious documents were used to execute additional scripts, and leverage subsequent LOTL tactics to retrieve and launch payloads.
In mid-March 2020, we observed multiple websites hosting fake versions of WiseCleaner utilities. These sites were used to distribute the Kpot Infostealer trojan, along with a new ransomware family dubbed “CoronaVirus”. From the fake WiseCleaner-themed sites, a malicious version of “WSHSetup.exe” was used to download both the CoronaVirus ransomware along with Kpot Infostealer. Once-infected, a customized ransom message is displayed at boot, prior to the loading of Windows. Victims are instructed to email attackers, as opposed to interacting with them via a payment portal site.
The Kpot Infostealer trojan is coupled with the ransomware in order to harvest cryptocurrency wallets, browser data and credential sets. The requested ransom is typically ~$50.00 USD.
In mid-March, NetWalker ransomware campaigns were observed attacking multiple targets classified under Health and Human Services offices (ex: the Illinois Champaign-Urbana Public Health District). The malware was delivered via email with malicious VBS attachments. Upon launch, the malware proceeds to encrypt targeted file types as well as disabling known anti-virus products (if found).
In early February 2020, multiple COVID-19/Coronavirus-themed phishing campaigns were tracked, targeting primarily the shipping and logistics industry. The phishing campaigns were used to spread the AZORult trojan to high-value targets in the shipping sector. Some message samples contained malicious Microsoft Office documents designed to exploit CVE-2017-11882. CVE-2017-11882 is a memory corruption vulnerability in Equation Editor. Successful exploitation allows for the execution of arbitrary code across affected versions of Microsoft Office.
In early February 2020, a massive COVID-19/Coronavirus-themed phishing campaign targeted large swaths of Office 365 users. The motive behind these campaigns was basic credential harvesting. Victims were urged to open malicious attachments which were disguised as updates on COVID-19 patterns in their local areas. Most observed samples masquerading as updates from the “Centers for Disease Control and Prevention”. Attackers took advantage of ‘look-a-like’ domains for added authenticity (ex: cdc-gov[.]org)
In early February 2020, we tracked COVID-19/Coronavirus-themed spam campaigns spreading LokiBot, specifically targeting Chinese entities. Spam messages were seen masquerading as updates from the ‘Ministry of Health in the People’s Republic of China’. Messages were written in English but appear to have been written by a non-native English speaker. The LokiBot malware was distributed in these messages in the form of RAR archives (with .arj extensions).
In mid-February 2020, multiple malicious websites were constructed to deliver the Grandoreio banking trojan. Multiple weaponized sites were utilized, primarily targeting users in Mexico, Spain, and Brazil. The sites utilized a ‘video player’ download-style lure to entice victims into executing the Grandoreio payloads.
In mid-February, the “Corona Virus Map Phishing Kit” was advertised for sale in various underground forums. The kit ranged in price from $200 USD to $700 USD. Buyers are able to customize the kit to embed their own payloads or force a redirection (upon execution of the trojanized map EXE) to remote payloads. The malicious map executable masquerades as legitimate map data from Johns Hopkins University. Indeed a picture (in this case an interactive map) is worth a thousand words, with attackers offering up the ability to load payloads to victims that visit this nefarious coronavirus spread map:
In late February 2020, we observed COVID-19/Coronavirus-themed spam campaigns targeting users in the Ukraine. Spam messages are disguised as updates from the ‘Center for Public Health of the Ministry of Health of Ukraine’. The messages claim to contain updated information for the public pertaining to COVID-19/Coronavirus. Initial waves of the campaign were used to distribute various dropper and downloader trojans.
In late February 2020, COVID-19/Coronavirus-themed spam emails were used to distribute the Tesla Keylogger. Spam messages were constructed via a customized phishing kit. Observed samples are disguised as updates from ‘The Centers for Disease Control’. Victims are enticed into following malicious links in order to access informational “updates for their area”.
In late February 2020, we observed a spam campaign targeting South Korean entities. The spam campaigns were used to distribute BabyShark implants, often associated with the cyber operations of North Korea. Malicious attachments were disguised as official updates on South Korea’s response to COVID-19.
In late February 2020, multiple spam campaigns were observed distributing the FormBook. malware. Messages were disguised as updates from FedEx on their current plans for dealing with issues and delays around COVID-19.
In late February 2020, Trickbot campaigns were tracked, primarily targeting Italian entities. Spam messages were constructed with a customized phishing kit, and redirected victims to Trickbot payloads.
In late January 2020, we observed Coronavirus-themed Emotet spam campaigns, primarily targeting Japanese entities. Message templates for the spam runs were updated frequently (as is normal with Emotet). That being said, most messages masquerade as “urgent notifications which urge the victims to open malicious email attachments. The malicious attachments are disguised as updated information briefings on COVID-19 patients in their particular region.
Update (Friday, March 27th)
Covid themed campaigns have started to slow this week, while criminals were quick to capitalize on the news heavy topic of ‘Covid-19’ for their campaigns we suspect this slow down will continue due in part to the current situation where many countries, cities, and provinces have started to order “stay at home” or “shelter in place” orders. These orders could impact local governments and businesses in a way that will slow down a criminal’s ability to move money. We are still following to see what the effect will be on the underground economy as the global economy becomes more turbulent.
This is a concerning time for our industry and the public at large. We are in the midst of a global health crisis. In such times, we all need to be working together and ensuring that everyone has the most accurate and reliable data. We all want assurance that we can trust the resources available to us. Anything counter to that is destructive and potentially harmful to society. However, we all know that cybercriminals and sophisticated adversaries seize opportunities like this to further their own cause. This not only leads to the usual barrage of complications inherent to any cyber attack or event, but in this case it can translate to real harm to those we love and protect.
Domain Registration and Squatting
From the onset of the SARS-CoV-2 virus’s spread, opportunistic cyber-criminals have taken to proactively registering relevant domain names for malicious use. According to data from Recorded Future, “Beginning on January 12, the number of domain registrations started to increase, with an additional large spike on February 12”.
While domain registration alone is not proof of ill-intent, it is a reminder that we need to be extra cautious when interacting with “COVID” and “Coronavirus” related domains.
To provide some context, consider the following data:
Registered domains including “coronavirus” in the last 7 days = 5762
Registered domains including “covid” in the last 7 days = 6155
Registered domains including “covid-19” in the last 7 days = 934
Registered domains including “covid19” in the last 7 days = 3098
Src: DN Pedia
In the more scam-centric realm, registered domains including “coronacure” in the last 7 days = 934.
Src: DN Pedia
Some of these domains claim to offer medical supplies at exorbitant prices; would-be buyers pay up-front and take their chances as to whether they will ever see a delivery.
It is important to note that these numbers do not account for typo-squatting or subtly-varied names (homographic attacks), or numerical-replacement variants (aka ‘hackerese).
Emergence of Blatant Scams
Multiple dark web (.onion) sites claim to sell COVID-19/Coronavirus supplies (masks, sanitization and cleaning supplies) directly for BTC (bitcoin). These are outright scams, which just collect BTC and deliver nothing to their victims. To add insult to injury, we have also seen sites reporting to sell non-existent vaccines, charging $5000.
Scammy COVID-19 supply sellers
Infrastructure & Misinformation Attacks
On Monday, March 16 an attempted DDoS attack was carried out against the US Health and Human Services Department. While the HHS infrastructure remained “fully operational” there was a perceived strain on the targeted systems given the increased activity. The attack comes at a critical time given the current influx of requests to their site (and services) seeking information and updates around protection against COVID-19. In this situation, the HHS was prepared. According to an HHS spokesman, “while preparing and responding to COVID-19, HHS put extra protections in place”.
In addition to the DDoS attempt on HHS, we have seen a flurry of social media campaigns specifically crafted to spread misinformation, and increase paranoia around the Coronavirus pandemic. There appear to be multiple, ongoing misinformation campaigns across all social media platforms (ex: Twitter, Facebook, Telegram).
For this reason, we all need to be extra careful and ultra-discerning. The NSC has been quick to alert on and clarify most of these attempts, but again they are ongoing. It is recommended that the public continually monitor the NSC (and other official outlets) for accurate data and updates, as well as alerts on misinformation campaigns.
Supply & Lockdown Effects on the Criminal Element
Cyber criminals can be affected by the societal impacts of COVID-19 as well. Perhaps as a ‘positive’ side-effect, some underground vendors are having to cease operations due to increased risk or limited supplies.
The psychology of fear, uncertainty, and doubt is a powerful weapon. Criminals have become more advanced in their understanding of manipulating human emotion to achieve a targeted action. Social engineering is based on the premise that I can get a victim to take action the victim believes to be trusted, but which is actually malicious, using manipulation, influence, and deceit. It can also be based on downright intimidation, authority, and extortion. The net result is a victim taking actions they otherwise never would have in the absence of social engineering.
Nation-state actors have long relied upon social engineering to achieve targeted goals for espionage, system compromise, election influence, and social media manipulation.
While this is still very much a ‘living’ situation, Sentinel Labs has already observed the ability for enterprising cybercriminals to capitalize on the fear and uncertainty of the general public. As is the case with any large and newsworthy event, our adversaries have no scruples when it comes to social engineering and malware distribution. Nothing is out of bounds, and the main difference with the current climate is that the stakes are much higher. It is enough of a challenge to get accurate data and information from known-and-reputable sources. The criminal element further muddies the water and makes our attempts to protect our loved ones (and selves) that much more of a challenge.
Sentinel Labs will be posting updates and details as they become available at https://labs.sentinelone.com/
This post draws out critical lessons we can learn from both cyber and biological threats:
In addition, the US-CERT/CISA has posted a list of additional resources which can assist in avoiding COVID-19-related scams and attacks. They cover cyber-hygiene recommendations and link additional helpful resources as well:
US-CERT: Defending Against COVID-19 Cyber Scams
CISA Insights: Risk Management for Novel Coronavirus (COVID-19) (Note: PDF)
CISA Alert (AA20-099A) – COVID-19 Exploited by Malicious Cyber Actors
FBI Alert I-032020-PSA – FBI SEES RISE IN FRAUD SCHEMES RELATED TO THE CORONAVIRUS (COVID-19) PANDEMIC
Indicators of Compromise
Zeus Sphinx DFF2E1A0B80C26D413E9D4F96031019CE4567607E0231A80D0EE0EB1FCF429FE Zeus Sphinx 3c115864cb93746b3745a119855b17442ef9415ccc2bf1531fc5a269e4714c66 Zeus Sphinx 511dab2388e7a98cc70a8e6abbfe3c47f170c9fc616941a2c05c08b1fc449ef1 Zeus Sphinx f40d11f983151b6f0405db63a3424e5063a7294f42bdbde07f7aed5fd96f4563 Zeus Sphinx c89c43d51eba1eb522cca6ec720f778a59638a09ea07ce10a60dd1929023a8d5 Zeus Sphinx 66fc5d683cf76c3c4b53199fc0796b7a13afba22fca8d97ef4dfd07249e5a9f1 Hawkeye 0b9e5849d3ad904d0a8532a886bd3630c4eec3a6faf0cc68658f5ee4a5e803be Hawkeye 82f9157507edd82634feb23213b70730701b274eb65c63e9dea6d7acef154d51 Nanocore 2cf2568dad46a638b8e4d86aa46f4cd279511dba9900286e22aeaefc39189a88 Emotet 4c9e35f3d5f555dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb Emotet b49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3 Emotet 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732 Emotet acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617fef76f2e87f Emotet 109[.]236[.]109[.]159 Emotet 85[.]96[.]49[.]152 Emotet 186[.]10[.]98[.]177 Emotet erasmus-plius[.]tomasjs[.]com/ Emotet easytogets[.]com/ Emotet drhuzaifa[.]com Emotet dewarejeki[.]info Emotet dewakartu[.]info AZORult d2b231eb83de043acfcdf1c938c6b49e465d585fe4ce79f42add43a17aba1300 AZORult 2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307 LokiBot 198[.]23[.]200[.]241 LokiBot 198[.]23[.]200[.]241 LokiBot 906EFF4AC2F5244A59CC5E318469F2894F8CED406F1E0E48E964F90D1FF9FD88 Grandoreiro 08710023c219f26237a9c8de5454a1de17117a2da651b4391afce8e331f31dfa Grandoreio 3bbd2beaa7953543e3cfb09d064db83b11034ff81255429b82e2de40d661ee29 Grandoreio 13[.]72[.]105[.]98 Generic Downloader/Dropper 9aea43b22f214228caf4fc714f426c0a140b7dd70b010bf3778cd1c0ec440851 NetWalker 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967 RedLine Stealer 0ddd7d646dfb1a2220c5b3827c8190f7ab8d7398bbc2c612a34846a0d38fb32b Ransom20 (COVID-Themed HiddenTear ransomware) 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326 Anubis dfb54d6c468271c73865d45e54b9dd942a18e716d608cf9233f1122cf79bab8c Anubis 1de6e6c140ff1b301b7df12d4b6388a21a6fbf0f141347dd2f9289740438a6d8 Anubis 5c4a0458c581c9bc0a7729b01926cd7b1f6b5b58aaecb2f31f571d4ded7ee419 Anubis 9ebc2996f2d08258d9119e01c9b00d1b8bf01b838c54dee9a675b28b9697e38f Anubis 0052751f0f11af674c479c2083c1f9f88a503b1189b7ebc095a38c4970b8a899 Anubis 60c957d19a81b795053b5d6e5b0372df0326c07b730718cba627f993261a6a5e Anubis bb27202091a065f3261e1625cbc7a0661a538b6e9aecfcb2069c71a680c61970 Cerberus 604b3cd50ef3b0df46bcb07a1d2d0fad31f517f4ef541036d9f0161d3c69499b Cerberus 93288d18a7b43661a17f96955abb281e61df450ba2e4c7840ce9fd0e17ab8f77 Cerberus c3096b341d6807a5a7d353f97554017a6242349b081837de60908081bcada1d0 Cerberus 2086af24ef1bd41939f4e2da8e1d17fbbd4de75d04143c758cbed133a8202d01 Cerberus de1ffdb17ac2f8d1b02972e11b2bff0a9a2cd27be4f20d44aece5227006eba8b Cerberus cfcc5ed7da99eee17c7d7179e0ee3b20f2df43126277c3c6670a1943e64e788e Cerberus 178b0878f1d485ecdb3626c8122424e818c92bab8101d2baf7be8eb0188ed5c7 Credential Harvesting intvmdt[.]us Credential Harvesting whintdm[.]us Ursnif 17c8d552a8ba063372f43b3a719eda76f6a3a2612e9a0bf329f26b4cc31579d5 Ursnif 4640edbda4a76f7baeeaad983afe8c742fa10becaa67b07e2c2effadc1711649 Ursnif e9697d963d66792a91991e64537707a94f466421615277d91675b83a408eef93 Ursnif e8ae0f7afaa6ce080567267759e7b9e02547b5174a9fce3f379792d499503c2f Ursnif a4bbf7654331415c4f7d0306066ececa014a27d706deca83bd7113ad4cd28d2e Ursnif f1[.]pipen[.]at Ursnif io[.]laurela[.]at Ursnif ya[.]aftnoop[.]at
All copyrights for this article are reserved to Corona Virus