Cyberattacks exploiting COVID-19

30.04.2020

The disease COVID-19 is being used as a hook for malicious social engineering campaigns, including spam, malware, ransomware and malicious domains. As the number of cases continues to grow by thousands, the campaigns that use the disease as a lure are also on the up. Panda researchers constantly search for samples in malicious coronavirus-related campaigns.

Coronavirus related spam

Panda researchers have detected emails sent and received all over the world, including countries such as the United States, Japan, Russia, and China. Many of these emails, supposedly from official organizations, claim to contain updates and recommendations related to the disease. Like most spam campaigns, they also include malicious attachments or website links.

One example is a spam campaign with“Corona Virus Latest Updates”as the subject, purported to be sent from the Ministry of Health. It contains recommendations about how to prevent infection and comes with an attachment that supposedly contains the latest updates about COVID-19. However, it actually contains a piece of malware.

Other emails used in these campaigns, are related to product deliveries, which have supposedly been delayed or modified because of the spread of the disease.

The following email in Italian refers to important information about the virus:

The following email in Portuguese promises news about a supposed vaccine for COVID-19.

There have been cases of Spam emails mentioning a cure for coronavirus in the subject, using this to try to get people to download the malicious attachment. This malicious attachment is sometimes HawkEye Reborn, a variant of the HawkEye Trojan, which steals information.

Indicators of compromise for the malicious attachment

The Indicators of compromise in this case are:

Another spam campaign has been seen targeting users in Italy, a country hit hard by the pandemic. This campaign includes “Coronavirus: important information on precautions” both in the subject and the body of the email. In the body of the email, the sender claims that the attachment is a document from the World Health Organization (WHO) and strongly recommends that readers download the compromised Microsoft Word attachment. The malicious file contains a Trojan.

When the document is opened, the following message is shown, prompting users to enable macros:

Indicators of compromise (IOCs)

Malware & CoronaVirus Ransomware

Thanks to our 100% attestation service, Panda laboratories has managed to identify and block the following malicious executables related to these campaigns:

Other researchers have seen cybercriminals taking advantage of online coronavirus monitoring maps, replacing them with fake websites that facilitate the download and installation of malware. Below are the hashes for these malicious applications:

A new variant of CoronaVirus ransomware was using a fake system optimization site to spread. Victims unknowingly download the WSGSetup.exe file from the fake site. This file acts as a downloader for two kinds of malware: The CoronaVirus ransomware and the password stealing Trojan Kpot.

This campaign is part of a recent trend seen in ransomware: it combines data encryption with information theft.

What’s more, another piece of ransomware, this time affecting mobile users, called CovidLock has also been spotted. This ransomware comes from a malicious Android app that supposedly helps track COVID-19 cases. The ransomware blocks its victims’ cellphones, giving them 48 hours to pay $100 in bitcoins to regain access to their phones. Threats include deleting all the data on the phone and leaking details from their social media accounts.

Domains related to Coronavirus

There has also been a notable increase in the number of domain names using the word ‘corona’. Below, we list some of the malicious domains:

How these attacks work

The fact is that all these attacks use entry vectors that could be considered “traditional”. At Panda, we have these vectors more than covered with our Panda Endpoint Solutions. In these cases, the mechanisms used to detect and block the threats are the following:

  • This service classifies every binary, only allowing it to execute if it is verified by our cloud-based artificial intelligence system, the managed 100% attestation service
  • Endpoint detection technologies, especially the detection of Indicators of Attack (IoA) by behavior and context.

From what we are seeing in our laboratories, the most common attack cycle is email/spam using social engineering technologies. These emails contain a dropper that downloads a binary here:

C:\Users\user\AppData\Local\Temp\qeSw.exe with the hash 258ED03A6E4D9012F8102C635A5E3DCD. In Panda’s solutions, the detection for the dropper is a Trj/GdSda.A.

This binary encrypts the machine (process: vssadmin.exe) and deletes the shadow copies by invoking the process conhost.exe.

Official sources of IoCs

The Spanish National Cryptographic Center (https://www.ccn.cni.es/index.php/es/) has an exhaustive list of indicators of compromise (IoCs) at the level of hashes, IPs, and domains.

The information can be accessed here: https://loreto.ccn-cert.cni.es/index.php/s/oDcNr5Jqqpd5cjn

How to defend yourself against these and other cyberthreats

Thanks to the 100% attestation service, which classifies all binaries before they can run, and blocks any malicious binaries, Panda’s advanced endpoint solutions are undoubtedly of great value in stopping these campaigns, as well as many others.

This service enables a highly efficient and unmanned mechanism for detecting and blocking malware and ransomware, even before it can run, regardless of whether they are new variants or new download domains, as is the case with the malware variants related to COVID-19.

Behavioral and contextual indicators of attack (IoAs) detect and block unusual behaviors on protected devices. These behaviors could include downloading an executable from a Word or accessing an unknown or malicious URL. Any attempt to compromise the device is immediately blocked, and the execution and connection of these malicious activities are stopped.