Thursday, March 28, 2024

CoronaVirus Cyber Attack Panic – Threat Actors Targets Victims Worldwide

Spammers are using the Coronavirus outbreak to spread malware via emails claiming to be “Offer information on how to defend against the real-world virus”, which attributed the campaign to Emotet.

Cybercriminals are taking advantage of global fears surrounding the deadly Coronavirus by sending out malware-laden emails supposedly offering guidance.

The strain of Coronavirus currently making its way around countries in Asia, Europe, and North America was first identified in Wuhan, China and is called the 2019 Novel Coronavirus (2019-nCoV).

Multiple email campaigns have been detected by security firms monitoring for the latest threats, all of which use coronavirus as a hook to try and get victims to open infected messages.

The emails are disguised as official notifications from public health centers and come with attachments that promise to provide more details on preventative measures against corona-virus infections.

Threat Type – Spam, Malware, Botnet

Overview

The subject of the emails, as well as the document filenames, are similar, but not identical. They have composed o different representations of the current date and the Japanese word for “notification”, in order to suggest urgency.

Kaspersky technologies have found malicious files disguised as documents related to the newly discovered coronavirus – a virus disease that has been at the top of media headlines due to its dangerous nature.

The discovered malicious files were masked under the guise of pdf, mp4 and Docx files about the coronavirus. The names of files imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus detection procedures, which is not actually the case.

In fact, these files contained a range of threats from Trojans to worms which are capable of destroying, blocking, modifying or copying data, as well as interfering with the operation of computers or computer networks.

“The coronavirus, which is being widely discussed as a major news story, has already been used as bait by cybercriminals,” said Anton Ivanov, Kaspersky malware analyst.

Scenario 1: Proactive Defense Mechanism on Email campaigns

Cybercriminals create phishing emails with this Coronavirus as the email subject or put in the email body to lure victims to click on links or download unwanted files.

Organizations must deploy strong policies and security teams must look for keywords on this on their email gateway. Since it’s easy to lure victims into a trap.

So organizations must be cautious about encountering emails with “Coronavirus” or “2019-nCoV” in body or subject or links. Train or circulate notice internally to your employees and understand the critical of it.

Proactive Measures – Email Gateway

. Block emails with the Subject contains “Coronavirus” or “2019-nCoV” from any external sources/unknown parties.
. Some organizations might internally send emails on these, which shouldn’t get blocked.
. Look for emails so far received with the subject name as “Coronavirus” or “2019-nCoV” and do have an investigation on the data or links in external emails.
. Look for emails so far received with “Coronavirus” or “2019-nCoV”embedded in the message body and do have an investigation on the data or links in external emails.

Scenario 2: Threat Hunting Hypothesis for newly registered domains

Already some threat actors started using these parameters to accomplish their objective. A recent threat actor “Vicious Panda: The COVID Campaign” – Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target.

The number of newly registered domains related to coronavirus has increased since the outbreak has become more widespread, with threat actors creating infrastructure to support malicious campaigns referring to COVID-19. It was observed as 5000+.

CoronaVirus Cyber Attack
Sample Domains

The initial spike in domain registrations coincided with a large spike in reported COVID-19 cases in mid-February — a possible indicator that attackers may have begun to realize the utility of COVID-19 as a cyberattack vector. Most domains are parked.

CoronaVirus Cyber Attack
CoronaVirus Cyber Attack

Proactive Measures

Create a rule to monitor these domains traffic in/out from your network. These newly registered domains are quite tricky and you do not know the intention unless targeted. As a proactive approach, look for these keywords in Proxy/DNS/Firewall logs. Concentrate on domain names, not on TLD and URLs.

Example:
www.corona-covid.com/coronavirus-update.html

The above parameters to understand:
      “Corona-covid” is the domain name
      “.com” is the TopLevelDoamin [TLD]
      “/coronavirus-update.html” is the path [URL].
      Altogether it’s a website.

Insights on creating defense:

1.) Create a use case for monitoring if anyone or any file is trying to call domain names with keywords as “corona” or “covid-2019”. But be careful this scenario not for URL or website, else it throws lots of false positives.
2.) Mainly on the domain destination scenarios. Only the domain names.
3.) Once we get alert, we can understand their DNS records/AAA records we can conclude as suspicious. It won’t create much noise but helps to detect some near-real-time Callback communication if any organization is already under Dwell-time.

Reference/IOCs:

Conclusion

          We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers. In these first samples, Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic.

Don’t rely on IOCs, hunt your network based on IOB [Indicators of Behaviors]. When the Offenders learn, we defenders evolve!!

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles