These days, when the world is focused on getting a handle on the COVID-19 crisis, cybercriminals are weaponizing our fears and our desire for information to leverage their malicious goals; to cause as more harm and disruption as possible. As a result, we witness all kinds of attacks leveraging the Coronavirus or COVID-19 name.
The situation is so inhumane and disturbing that it forced both FBI and Interpol to issue security warnings. INTERPOL warned “the public to exercise caution when buying medical supplies online” because criminals are taking advantage of the public health emergency to “run a range of financial scams.” Instead of receiving the promised masks and supplies, unsuspecting victims have seen their money disappear into the hands of the criminals involved. According to INTERPOL, the scams include telephone frauds and phishing emails “claiming to be from national or global health authorities, with the aim of tricking victims to provide personal credentials or payment details, or to open an attachment containing malware.”
At the same time, the FBI has issued another warning of increased COVID-19-related frauds. The announcement urges people to be alert to phony messages claiming to be from the Centers for Disease Control (CDC) “claiming to offer information on the virus”, phishing emails asking people “to verify [their] personal information in order to receive an economic stimulus check from the government,” and offers of phony COVID-19 treatment “that claim to prevent, treat, diagnose, or cure COVID-19.”
Some of these malicious actors really have a twisted sense of humor. Researchers from CyberArk discovered a new type of ransomware named “CoronaVirus”. This malware spreads through a phishing website, WiseCleaner[.]best. The website is supposed to resemble WiseCleaner.com, which provides free system utilities for Windows to improve the computer’s performance. The ransomware is distributed alongside an infostealer named KPot, also known as Khalesi, which is an infostealer popular in the underground community.
The ransomware is delivered through a user visiting the fake website and downloading the malicious file “WSHSetup.exe.” WSHSetup.exe is a downloader, which is the first stage of infection. The malicious file from the fake website downloads the KPot stealer—an information stealer that focuses on exfiltrating account information from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency and gaming software—and the CoronaVirus ransomware.
Figure 1: CoronaVirus ransomware. Image courtesy of CyberArk
On March 19, 2020, IBM X-Force detected a campaign that emitted several waves of phishing emails purporting to originate from the World Health Organization (WHO) as a whole or from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO.
Figure 2: Spoofed WHO email. Source:IBM X-Force
The emails instructed recipients to open an attachment for the purpose of receiving updated instructions on how to fight the coronavirus. This attachment was an archive that, when opened, revealed “Coronavirus Disease (Covid-19) CURE.exe.” When run, this executable loaded HawkEye, a keylogger which is capable of intercepting keystrokes, stealing credentials, taking screenshots, and exfiltrating its stolen data.
Meanwhile, the security firm AppRiver found cybercriminals targeting at-home employees with messages that notify workers of a positive COVID-19 test within their organization. The messages contain malicious attachments disguised as protocols that the company is undertaking as well as a "flyer" that recipients are asked to open, read and print out, according to AppRiver.
In another instance, the same security firm discovered a phishing campaign that poses as an alert from the CDC and appears to have wider distribution. The email, which is made to appear from the Centers for Disease Control and Prevention, claims to provide a list of Novel Corona cases “around your city” and advise that the recipient go through the cases to avoid exposure to the virus. However, the links in the message lead to a phony OWA login page designed to harvest email credentials.
Figure 3: CDC scam message. Source: AppRiver
The website, “coronavirusmedicalkit.com,” was purporting to give away free vaccine kits that it claimed were manufactured by the World Health Organization (WHO), according to Department of Justice court documents. In reality, website operators were engaging in a wire fraud scheme. They first asked buyers to input their payment card information on the website in order to pay a shipping charge of $4.95. Then, they would steal that credit card and personal information in order to carry out fraudulent purchases and identity theft.
It is very important these days to follow the experts’ advice to remain safe. While following basic hygiene rules and staying at home are the cornerstones for containing the virus and flattening the curve, it is of equal importance to remain vigilant and follow the basic cyber hygiene rules. As INTERPOL and the FBI have reminded us:
In addition, it is crucial to safeguard the certificates and the encryption keys protecting our machines and assets. Should these valuable assets fall in the hands of criminals, they will turn into weapons against us. These actors can use the compromised machine identities to create phony websites or encrypt their movements within our organization escaping detection.
If you spot a coronavirus scam, you can let us know by reaching out in Twitter.