Avoid COVID-19 Scams and Phishing Attacks - ThreatWire
Added 2020-03-17 17:04:19 +0000 UTCThere are a lot of scams and phishing campaigns happening right now related to COVID19, so it’s important to be mindful of any potential for an attack. Here are just a few of the ways that criminals are using the current panic to take advantage of unsuspecting individuals.
A “coronavirus map” was acting as a trojan horse to install malware on end user machines, which could steal passwords, user names, and more. Reason Labs security researcher, Shai Alfasi, analyzed malware that MalwareHunterTeam found hidden inside a coronavirus map downloadable application, that could steal credentials stored in a user’s browser on their client machine. This map shows the current infections on a world view. Once the map application is downloaded, the malware, called AZORult is used as this information stealer to siphon off browsing history, cookies, IDs/ Passwords, cryptocurrency and whatever else it can get it’s hands on. This malware is not new, it was first discovered in 2016, and it is commonly found on Russian underground forums. AZORult comes in a few variants, one of which can create an admin account on the infected machine, which can allow the attacker to connect via RDP.
The malware is embedded in the Corona-virus-map.com.exe, downloaded as a WIN32 executable file, with a small payload of less than 4 megs. If you want to stay aware of current totals, don’t download anything - simply pay a visit to Johns Hopkins University online to see a map that is actively being updated, and that link is below.
This, and other downloads, may be sent in “chain mail” that incites an emotional response.
In one example, an advanced persistent threat group is using COVID19 to spread malware in a campaign dubbed “Vicious Panda”. Researchers with Check Point Research state that this attack uses two Rich Text Format (RTF) files to target Mongolian public sector workers. It is sent via email and once opened, can screenshot the device and send the attacker lists of the files, directories and more. The email urges Mongolian workers to inform victims about infections of the pandemic and appears to be derived from a Chinese hacking group.
Another attack, deriving from the Russian hacking group called Hades, was carried out in February using a backdoor trojan to spread disinformation.
And lastly, an app called COVID19 Tracker is actually being used as ransomware, not as an outbreak map tracker like it pretends to be. This ransomware is used to request $100 in bitcoin within 48 hours or everything on your phone will be erased and “social media accounts will be leaked publicly” whatever that means. This one is hosted on a website, not through the Google Play store, but Android users could download it from a website if directed there. It requests access to the lock screen and accessibility settings. “CovidLock” will lock the screen with a ransom note. Users since Android 7 can unlock with a password, which appears to bypass the ransomware. This one is avoidable by strictly downloading apps from the Google Play store and keeping your OS updated.
These kinds of attacks will likely ramp up in frequency as more users work from home and cybercriminals start targeting folks who would usually be on a secure internal company network. Keep an eye out for suspicious emails or attachments and don’t download them. Double check that any charity is a legitimate one before donating money. And lastly, if you see random Facebook groups or data shared on twitter, make sure it’s legit and not a misinformation campaign. It’s important to take strides to protect yourself not only physically, but in the connected world as well.
Support me on alternative platforms! https://snubsie.com/support
Shop ThreatWire Merch! - https://snubsie.com/shop
https://www.youtube.com/shannonmorse -- subscribe to my new channel!
ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire
Links:
https://thehackernews.com/2020/03/coronavirus-maps-covid-19.html
https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/
https://www.wired.com/story/coronavirus-phishing-ad-fraud-clearview-security-news/
https://www.cnet.com/how-to/online-coronavirus-scams-are-here-watch-out-for-these-red-flags/
https://threatpost.com/coronavirus-apt-attack-malware/153697/
