Masergy Threat Intelligence Bulletin: COVID-19

Published on March 27th, 2020

In the Spotlight: COVID-19

Key topics covered

Executive summary

With COVID-19 (also known as the “coronavirus”) being declared a pandemic by the World Health Organization, cyber attackers have taken advantage of the situation by registering domain names to use in phishing attacks and exploitation. Attackers have also been capitalizing on the increased demand placed on healthcare providers by utilizing ransomware and performing denial-of-service attacks.

What happened?

Cyber attacks themed around COVID-19 began around January and have steadily increased in volume through March. By the end of March, COVID-19 related Spam represented over 2% of all Spam traffic observed by security researchers at Sophos. Some of the Spam messages include scams pretending to be fundraising from the World Health Organization (WHO) for bitcoin to fund COVID-19 research, marketing for emergency supplies like filter masks, documents from WHO but are in fact documents loaded with dropper malware and others. From February 8th to March 24th, Sophos observed 42,578 domains registered using “covid” or “corona” in the domain names. 

Security Researchers at LookingGlass observed instances of actors starting threads on a top-tier Russian-speaking marketplace forum on the dark web for the sale of  “Coronavirus Phishing Methods”. Sellers claim this phishing method allows the actor to send a payload “preloader” disguised as a map that can be sent as a file attachment using any mail service – capable of infecting 10,000 victims daily.

In mid-March the U.S. Health and Human Services Department was hit with a denial-of-service attack that flooded it’s servers with millions of requests over several hours. HHS Secretary Alex Azar said the attack did not degrade their systems or achieve penetration of the network. The attack also occurred at the same time as a disinformation campaign was being spread over email, text messages, and social media spreading a false rumor about a national military quarantine. 

Ransomware operators have drastically ramped up targeting of healthcare facilities due to the increased likelihood of receiving a payout since maintaining full functionality is critical for healthcare organizations while dealing with COVID-19. 

COVID-19 Cybercrime  – So What?

With the amount of misinformation floating around the internet regarding the coronavirus, it’s very easy for attackers to create malicious domains and emails to try and blend in with legitimate news. Criminals can take advantage of hysteria with the promises of supplies or remedies, or spoof the appearance of official government groups or organizations to lull victims into their trap. Hackers have a history of capitalizing on natural disasters or emergencies as we frequently see fake Red Cross or insurance domains and scams following shortly after. 

COVID-19 Cybercrime – What Do I Do?

A large amount of organizations have shifted to working remotely, and it can be easy for members of your organization to fall victim to scam messages if your team doesn’t have a clear line of communication. At Masergy we have already seen attempts at attackers trying to get PII such as phone numbers while pretending to be another employee who needs to talk about an urgent work-related matter. There are dangers outside of COVID-19 related cybercrime that need to be considered when working from home as well. Ensure that your team members are working using a VPN service that is secure and supported by the organization. Provide training to your team that encourages users to ensure the devices they are working from are updated and secure, as well as guides to ensure their network is secure with best practices for their firewall and WiFi.

Sources Information in this article is derived from Sophos (1), Bloomberg (2), Looking Glass Cyber (3)

Source reliability Sophos, Bloomberg, Looking Glass: B (Usually Reliable) Minor doubts; history of mostly valid information

Information reliability – Sophos, Bloomberg, Looking Glass: 2 (Probably true) Logical, consistent with other relevant information, not confirmed

Highlights in Brief

Trickbot, Emotet Malware Use Coronavirus News to Evade Detection

Operators of TrickBot and Emotet Trojans are adding strings of Coronavirus news stories inside email attachments to hide cryptic binaries that may allow these malwares to bypass security software. By using a program called ‘crypter’, attackers are able to obfuscate or encrypt the malicious code before these malware files are distributed through emails. In this recent discovery, news stories are added to the malware’s file description that makes the malware appear to be harmless from antivirus software that use machine-learning or artificial intelligence to detect malicious programs. A few samples were discovered having strings taken from CNN news stories regarding the pandemic. “By and large, the Coronavirus strings being used by the malware crypter generator deploy public news content as a methodology to frustrate certain machine learning static file parser methodologies.” said Vitali Kremez, Head of SentinelLabs. The use of the pandemic as part of malware attack schemes has increased and evolved to new phishing scams, ransomware, and malware.

New Nefilim Ransomware Threatens to Release Victims’ Data

A new ransomware that has started to become active in the wild is threatening victims with releasing stolen data. Dubbed Nefilim, this ransomware shares much of the same code as Nemty with the key difference being Nefilim’s removal of the Ransomware-as-a-Service component in favor of relying on email communications for payment (as opposed to a Tor payment page). Nefilim recently became active at the end of February 2020. It is not yet known how this ransomware is being distributed but it is speculated to be spreading through exposed Remote Desktop Services. As of this writing, there is no means to recover files encrypted by Netfilim for free.

https://www.bleepingcomputer.com/news/security/trickbot-emotet-malware-use-coronavirus-news-to-evade-detection/
https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/

Malicious ‘Corona Anti-Virus’ Software Discovered

Researchers at Malwarebytes have unearthed a website advertising fake anti-virus software which claims it can protect people from contracting COVID-19. The site offers users the chance to download their software named ‘AI Corona Antivirus’ for the best possible protection against the current pandemic. According to the website the software was developed by a scientist from Harvard University. The fake software claimed that users will be protected against Covid-19 while the application is running. Researchers were able to determine that criminals use the malicious fake anti-virus software to distribute the BlackNet remote administration tool.

Forward Look

https://www.infosecurity-magazine.com/news/malicious-corona-antivirus/

Appendix A

Language of Uncertainty

Throughout this intelligence summary Masergy assessed probability using qualitative statements from the following defined matrix. To give the reader perspective, each statement is bounded by a probability range.

Qualitative statement Associated probability range
Remote or Highly unlikely <10%
Improbable or Unlikely 15-20%
Realistic Possibility 25-50%
Probable or Likely 55-70%
Highly/Very Probable/Likely 75-85%
Almost Certain >90%

Source Evaluation

Masergy evaluated sources using the two matrices defined below, scoring the reliability of source and that of the information gleaned from them.

Source Description
A Reliable Limited doubt about the source’s authenticity, trustworthiness, or competency; history of reliability
B Usually Reliable Minor doubts; history of mostly valid information
C Fairly Reliable Doubts; provided valid information in the past
D Not Usually Reliable Significant doubts; provided valid information in the past
E Unreliable Lacks authenticity, trustworthiness and competency; history of invalid information
F Cannot be judged Insufficient information to evaluate reliability; may or may not be reliable
Information Description
1 Confirmed Logical, consistent with other relevant information, corroborated by independent sources
2 Probably true Logical, consistent with other relevant information, not confirmed
3 Possibly true Reasonably logical, agrees with some relevant information, not confirmed
4 Doubtfully true Not logical but possible, no other information on the subject, not confirmed
5 Improbable Not logical, contradicted by other relevant information
6 Cannot be judged The validity of the information cannot be determined