Tuesday, July 16, 2024
EHA

CoronaVirus Cyber Attack Panic – Threat Actors Targets Victims Worldwide

Spammers are using the Coronavirus outbreak to spread malware via emails claiming to be “Offer information on how to defend against the real-world virus”, which attributed the campaign to Emotet.

Cybercriminals are taking advantage of global fears surrounding the deadly Coronavirus by sending out malware-laden emails supposedly offering guidance.

The strain of Coronavirus currently making its way around countries in Asia, Europe, and North America was first identified in Wuhan, China and is called the 2019 Novel Coronavirus (2019-nCoV).

Multiple email campaigns have been detected by security firms monitoring for the latest threats, all of which use coronavirus as a hook to try and get victims to open infected messages.

The emails are disguised as official notifications from public health centers and come with attachments that promise to provide more details on preventative measures against corona-virus infections.

Threat Type – Spam, Malware, Botnet

Overview

The subject of the emails, as well as the document filenames, are similar, but not identical. They have composed o different representations of the current date and the Japanese word for “notification”, in order to suggest urgency.

Kaspersky technologies have found malicious files disguised as documents related to the newly discovered coronavirus – a virus disease that has been at the top of media headlines due to its dangerous nature.

The discovered malicious files were masked under the guise of pdf, mp4 and Docx files about the coronavirus. The names of files imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus detection procedures, which is not actually the case.

In fact, these files contained a range of threats from Trojans to worms which are capable of destroying, blocking, modifying or copying data, as well as interfering with the operation of computers or computer networks.

“The coronavirus, which is being widely discussed as a major news story, has already been used as bait by cybercriminals,” said Anton Ivanov, Kaspersky malware analyst.

Scenario 1: Proactive Defense Mechanism on Email campaigns

Cybercriminals create phishing emails with this Coronavirus as the email subject or put in the email body to lure victims to click on links or download unwanted files.

Organizations must deploy strong policies and security teams must look for keywords on this on their email gateway. Since it’s easy to lure victims into a trap.

So organizations must be cautious about encountering emails with “Coronavirus” or “2019-nCoV” in body or subject or links. Train or circulate notice internally to your employees and understand the critical of it.

Proactive Measures – Email Gateway

. Block emails with the Subject contains “Coronavirus” or “2019-nCoV” from any external sources/unknown parties.
. Some organizations might internally send emails on these, which shouldn’t get blocked.
. Look for emails so far received with the subject name as “Coronavirus” or “2019-nCoV” and do have an investigation on the data or links in external emails.
. Look for emails so far received with “Coronavirus” or “2019-nCoV”embedded in the message body and do have an investigation on the data or links in external emails.

Scenario 2: Threat Hunting Hypothesis for newly registered domains

Already some threat actors started using these parameters to accomplish their objective. A recent threat actor “Vicious Panda: The COVID Campaign” – Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target.

The number of newly registered domains related to coronavirus has increased since the outbreak has become more widespread, with threat actors creating infrastructure to support malicious campaigns referring to COVID-19. It was observed as 5000+.

CoronaVirus Cyber Attack
Sample Domains

The initial spike in domain registrations coincided with a large spike in reported COVID-19 cases in mid-February — a possible indicator that attackers may have begun to realize the utility of COVID-19 as a cyberattack vector. Most domains are parked.

CoronaVirus Cyber Attack
CoronaVirus Cyber Attack

Proactive Measures

Create a rule to monitor these domains traffic in/out from your network. These newly registered domains are quite tricky and you do not know the intention unless targeted. As a proactive approach, look for these keywords in Proxy/DNS/Firewall logs. Concentrate on domain names, not on TLD and URLs.

Example:
www.corona-covid.com/coronavirus-update.html

The above parameters to understand:
      “Corona-covid” is the domain name
      “.com” is the TopLevelDoamin [TLD]
      “/coronavirus-update.html” is the path [URL].
      Altogether it’s a website.

Insights on creating defense:

1.) Create a use case for monitoring if anyone or any file is trying to call domain names with keywords as “corona” or “covid-2019”. But be careful this scenario not for URL or website, else it throws lots of false positives.
2.) Mainly on the domain destination scenarios. Only the domain names.
3.) Once we get alert, we can understand their DNS records/AAA records we can conclude as suspicious. It won’t create much noise but helps to detect some near-real-time Callback communication if any organization is already under Dwell-time.

Reference/IOCs:

Conclusion

          We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers. In these first samples, Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic.

Don’t rely on IOCs, hunt your network based on IOB [Indicators of Behaviors]. When the Offenders learn, we defenders evolve!!

Website

Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles