Spammers are using the Coronavirus outbreak to spread malware via emails claiming to be “Offer information on how to defend against the real-world virus”, which attributed the campaign to Emotet.
Cybercriminals are taking advantage of global fears surrounding the deadly Coronavirus by sending out malware-laden emails supposedly offering guidance.
The strain of Coronavirus currently making its way around countries in Asia, Europe, and North America was first identified in Wuhan, China and is called the 2019 Novel Coronavirus (2019-nCoV).
Multiple email campaigns have been detected by security firms monitoring for the latest threats, all of which use coronavirus as a hook to try and get victims to open infected messages.
The emails are disguised as official notifications from public health centers and come with attachments that promise to provide more details on preventative measures against corona-virus infections.
Threat Type – Spam, Malware, Botnet
Overview
The subject of the emails, as well as the document filenames, are similar, but not identical. They have composed o different representations of the current date and the Japanese word for “notification”, in order to suggest urgency.
Kaspersky technologies have found malicious files disguised as documents related to the newly discovered coronavirus – a virus disease that has been at the top of media headlines due to its dangerous nature.
The discovered malicious files were masked under the guise of pdf, mp4 and Docx files about the coronavirus. The names of files imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus detection procedures, which is not actually the case.
In fact, these files contained a range of threats from Trojans to worms which are capable of destroying, blocking, modifying or copying data, as well as interfering with the operation of computers or computer networks.
“The coronavirus, which is being widely discussed as a major news story, has already been used as bait by cybercriminals,” said Anton Ivanov, Kaspersky malware analyst.
Scenario 1: Proactive Defense Mechanism on Email campaigns
Cybercriminals create phishing emails with this Coronavirus as the email subject or put in the email body to lure victims to click on links or download unwanted files.
Organizations must deploy strong policies and security teams must look for keywords on this on their email gateway. Since it’s easy to lure victims into a trap.
So organizations must be cautious about encountering emails with “Coronavirus” or “2019-nCoV” in body or subject or links. Train or circulate notice internally to your employees and understand the critical of it.
Proactive Measures – Email Gateway
. Block emails with the Subject contains “Coronavirus” or “2019-nCoV” from any external sources/unknown parties.
. Some organizations might internally send emails on these, which shouldn’t get blocked.
. Look for emails so far received with the subject name as “Coronavirus” or “2019-nCoV” and do have an investigation on the data or links in external emails.
. Look for emails so far received with “Coronavirus” or “2019-nCoV”embedded in the message body and do have an investigation on the data or links in external emails.
Scenario 2: Threat Hunting Hypothesis for newly registered domains
Already some threat actors started using these parameters to accomplish their objective. A recent threat actor “Vicious Panda: The COVID Campaign” – Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target.
The number of newly registered domains related to coronavirus has increased since the outbreak has become more widespread, with threat actors creating infrastructure to support malicious campaigns referring to COVID-19. It was observed as 5000+.
The initial spike in domain registrations coincided with a large spike in reported COVID-19 cases in mid-February — a possible indicator that attackers may have begun to realize the utility of COVID-19 as a cyberattack vector. Most domains are parked.
Proactive Measures
Create a rule to monitor these domains traffic in/out from your network. These newly registered domains are quite tricky and you do not know the intention unless targeted. As a proactive approach, look for these keywords in Proxy/DNS/Firewall logs. Concentrate on domain names, not on TLD and URLs.
Example:
www.corona-covid.com/coronavirus-update.html
The above parameters to understand:
“Corona-covid” is the domain name
“.com” is the TopLevelDoamin [TLD]
“/coronavirus-update.html” is the path [URL].
Altogether it’s a website.
Insights on creating defense:
1.) Create a use case for monitoring if anyone or any file is trying to call domain names with keywords as “corona” or “covid-2019”. But be careful this scenario not for URL or website, else it throws lots of false positives.
2.) Mainly on the domain destination scenarios. Only the domain names.
3.) Once we get alert, we can understand their DNS records/AAA records we can conclude as suspicious. It won’t create much noise but helps to detect some near-real-time Callback communication if any organization is already under Dwell-time.
Reference/IOCs:
- https://tld-list.com/tlds-from-az
- https://pastebin.com/Ye7VbiAT
- https://pastebin.com/YFai7KHA
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains
- https://www.performanta.com/resources/coronavirus-fears-exploited-by-newly-registered-domains/
- https://cybersecuritynews.com/fake-coronavirus-maps/
- https://gbhackers.com/malware-via-weaponized-coronavirus-lure-documents/
Conclusion
We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers. In these first samples, Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic.
Don’t rely on IOCs, hunt your network based on IOB [Indicators of Behaviors]. When the Offenders learn, we defenders evolve!!