Tuesday, December 3, 2024
HomeComputer SecurityCoronaVirus Cyber Attack Panic - Threat Actors Targets Victims Worldwide

CoronaVirus Cyber Attack Panic – Threat Actors Targets Victims Worldwide

Published on

SIEM as a Service

Spammers are using the Coronavirus outbreak to spread malware via emails claiming to be “Offer information on how to defend against the real-world virus”, which attributed the campaign to Emotet.

Cybercriminals are taking advantage of global fears surrounding the deadly Coronavirus by sending out malware-laden emails supposedly offering guidance.

The strain of Coronavirus currently making its way around countries in Asia, Europe, and North America was first identified in Wuhan, China and is called the 2019 Novel Coronavirus (2019-nCoV).

- Advertisement - SIEM as a Service

Multiple email campaigns have been detected by security firms monitoring for the latest threats, all of which use coronavirus as a hook to try and get victims to open infected messages.

The emails are disguised as official notifications from public health centers and come with attachments that promise to provide more details on preventative measures against corona-virus infections.

Threat Type – Spam, Malware, Botnet

Overview

The subject of the emails, as well as the document filenames, are similar, but not identical. They have composed o different representations of the current date and the Japanese word for “notification”, in order to suggest urgency.

Kaspersky technologies have found malicious files disguised as documents related to the newly discovered coronavirus – a virus disease that has been at the top of media headlines due to its dangerous nature.

The discovered malicious files were masked under the guise of pdf, mp4 and Docx files about the coronavirus. The names of files imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus detection procedures, which is not actually the case.

In fact, these files contained a range of threats from Trojans to worms which are capable of destroying, blocking, modifying or copying data, as well as interfering with the operation of computers or computer networks.

“The coronavirus, which is being widely discussed as a major news story, has already been used as bait by cybercriminals,” said Anton Ivanov, Kaspersky malware analyst.

Scenario 1: Proactive Defense Mechanism on Email campaigns

Cybercriminals create phishing emails with this Coronavirus as the email subject or put in the email body to lure victims to click on links or download unwanted files.

Organizations must deploy strong policies and security teams must look for keywords on this on their email gateway. Since it’s easy to lure victims into a trap.

So organizations must be cautious about encountering emails with “Coronavirus” or “2019-nCoV” in body or subject or links. Train or circulate notice internally to your employees and understand the critical of it.

Proactive Measures – Email Gateway

. Block emails with the Subject contains “Coronavirus” or “2019-nCoV” from any external sources/unknown parties.
. Some organizations might internally send emails on these, which shouldn’t get blocked.
. Look for emails so far received with the subject name as “Coronavirus” or “2019-nCoV” and do have an investigation on the data or links in external emails.
. Look for emails so far received with “Coronavirus” or “2019-nCoV”embedded in the message body and do have an investigation on the data or links in external emails.

Scenario 2: Threat Hunting Hypothesis for newly registered domains

Already some threat actors started using these parameters to accomplish their objective. A recent threat actor “Vicious Panda: The COVID Campaign” – Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target.

The number of newly registered domains related to coronavirus has increased since the outbreak has become more widespread, with threat actors creating infrastructure to support malicious campaigns referring to COVID-19. It was observed as 5000+.

CoronaVirus Cyber Attack
Sample Domains

The initial spike in domain registrations coincided with a large spike in reported COVID-19 cases in mid-February — a possible indicator that attackers may have begun to realize the utility of COVID-19 as a cyberattack vector. Most domains are parked.

CoronaVirus Cyber Attack
CoronaVirus Cyber Attack

Proactive Measures

Create a rule to monitor these domains traffic in/out from your network. These newly registered domains are quite tricky and you do not know the intention unless targeted. As a proactive approach, look for these keywords in Proxy/DNS/Firewall logs. Concentrate on domain names, not on TLD and URLs.

Example:
www.corona-covid.com/coronavirus-update.html

The above parameters to understand:
      “Corona-covid” is the domain name
      “.com” is the TopLevelDoamin [TLD]
      “/coronavirus-update.html” is the path [URL].
      Altogether it’s a website.

Insights on creating defense:

1.) Create a use case for monitoring if anyone or any file is trying to call domain names with keywords as “corona” or “covid-2019”. But be careful this scenario not for URL or website, else it throws lots of false positives.
2.) Mainly on the domain destination scenarios. Only the domain names.
3.) Once we get alert, we can understand their DNS records/AAA records we can conclude as suspicious. It won’t create much noise but helps to detect some near-real-time Callback communication if any organization is already under Dwell-time.

Reference/IOCs:

Conclusion

          We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers. In these first samples, Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic.

Don’t rely on IOCs, hunt your network based on IOB [Indicators of Behaviors]. When the Offenders learn, we defenders evolve!!

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

UK Healthcare Provider Hit by Cyberattack, Services Affected

Wirral University Teaching Hospital in the UK has been hit by a targeted cyberattack,...

SMOKEDHAM Backdoor Mimic As Legitimate Tools Leveraging Google Drive & Dropbox

UNC2465, a financially motivated threat actor, leverages the SMOKEDHAM backdoor to gain initial access...

APT-C-60 Attacking HR Department With Weaponized Resumes

APT-C-60 launched a phishing attack in August 2024, targeting domestic organizations with malicious emails...