Cashing in on Covid-19

The pandemic provides the perfect cover for malefactors, according to Trend Micro. 


Bad actors are using the Covid-19 pandemic as cover to launch a slew of campaigns that include email spam, business email compromises, malware and ransomware, and malicious domains.

As the number of people infected with coronavirus continues to soar, campaigns using the disease as a lure are on the rise. Researchers from Trend Micro are periodically sourcing samples of malicious campaigns related to the virus, as well detections from other researchers.

According to the cyber security vendor, the use of current events as cover for malicious attacks is nothing new.

Malicious domains have been purposefully using Covid-19 as a lure for users. The domains are normally part of phishing scams or schemes that deliver malware to users’ systems. As the virus dominates headlines, Trend Micro’s web reputation services team notes these domains growing in number and adapting their tactics to the latest news about the virus.

Attackers also know that many individuals around the world are in lockdown, and are looking for ways to entertain themselves online, and are unwittingly using fake streaming sites, or sites offering entertainment or promotions.

Another domain spotted by Trend Micro was a fake website that may target UK PayPal users’ credentials. The site’s URL format raises a red flag that it’s possibly malicious, it said, and that the domain probably doesn’t belong to PayPal. Users are advised to check suspect sites by comparing them to the official website or social media account for any news that they have new domains up and running.

Researchers report two websites promoting an app – one of which is still active – that can supposedly protect users from the virus. The sites claim that their app, called `Corona Antivirus’, is a result of the work of scientists from Harvard University. Installing it will infect the system with BlackNET RAT malware, which will then add the infected devices to a botnet. Through this botnet, attackers can launch DDoS attacks, upload files to the device, execute scripts, take screenshots, harvest keystrokes, steal Bitcoin wallets, and collect browser cookies and passwords.

Beware of spam

However, fake sites are far from the only offender, with Trend Micro saying spam is the main culprit. It says nearly 70% of all the threats leveraging Covid-19 are spam messages.

The security giant has examined email samples from all over the globe, including the US, Japan, Russia, and China. Many of the emails claim to come from official organisations and contain updates and recommendations related to the virus. Many of the emails include malicious links and attachments.

One such email has the subject line, `Corona Virus Latest Updates’, and claims to have been sent from the `Ministry of Health’. It contains recommendations on how to prevent infection and has a malware-laden attachment purportedly containing the latest updates on the virus.

Other spam emails were related to shipping transactions, either postponed due to the spread of the disease or ones that claim to offer a shipping update. There were also other samples in Italian and Portuguese, the former claiming to contain important information about the virus, while the latter discusses a supposed vaccine.


Researchers found another email spam sample targeting China and Italy that mentioned a cure for the virus in the email subject line as a lure for downloading the malicious attachment. Further scrutiny found the payload sample from the attachment is HawkEye Reborn, a newer variant of the HawkEye trojan that steals data.

Taking aim at business

Other samples of email spam targeting Italy have been found, but in these cases, mentions of the disease were not found in the email subject line, but in the URL. The subject line contains the word 'fattura', meaning invoice in Italian, with the invoice number and date. These emails have attachments that execute a PowerShell command that will download malware that uses Evil Clippy, a tool for creating malicious MS Office Documents, to hide its macro.

With business email compromises (BEC), one such attack mentioning Covid-19 was reported by Agari Cyber Intelligence Division (ACID). The attack, a continuation of an earlier BEC campaign, comes from Ancient Tortoise, a cyber crime group behind multiple campaigns of this nature in the past. The bad actors first target accounts receivables into forwarding reports. Then, while posing as legitimate companies, they use customer information in these reports to send emails to inform customers of a change in banks and payment methods due to Covid-19. A Covid-19 ‘map’, created by Johns Hopkins University, is an interactive dashboard showing infections and deaths, and was used to spread information-stealing malware, as revealed by US reporter Brian Krebs. Several malefactors on Russian underground forums took advantage of the map and sold a digital Covid-19 ‘infection kit’ that deploys Java-based malware. Victims are encouraged to open the map and share it.

Ransomware, of course, is never far behind a new catastrophe. A group known as MalwareHunterTeam reported a new variant called CoronaVirus, which is spread through a fake Wise Cleaner site, a website that supposedly promotes system optimisation. Targets unwittingly download the file WSGSetup.exe from the fake site. This then acts as a downloader for two types of malware, the CoronaVirus ransomware and a password-stealing trojan named Kpot. This campaign follows the trend of recent ransomware attacks that go beyond encrypting data and steal information as well.

According to Trend Micro, there are also reports of malicious Android apps offering safety masks. The malicious app instead delivers a SMS Trojan that collects the target’s contact list and sends SMS messages to spread itself. So far, the app seems to be in the early stages of development and is simply trying to compromise as many users as possible.

Another new attack has been found propagating a fake Covid-19 information app that purports to come from the World Health Organisation. The Bleeping Computer website says the campaign involves hacking routers’ Domain Name System (DNS) settings in D-Link or Linksys routers to prompt web browsers to display alerts from the apps. Users said their browsers automatically open without prompting, only to display a message requesting them to click on a button to download a `Covid-19 Inform App’. Clicking on the link, however, downloads and installs the Oski info stealer onto the device. This malware variant can now steal browser cookies, browser history, browser payment information, saved login credentials, cryptocurrency wallets, and more.

Sophos reports on a scheme that demands $4 000 in Bitcoin, claiming failure to pay will infect the victim’s family with Covid-19. The victims receive emails informing them the attackers know all their passwords, their whereabouts, and other personal details. The email authors threaten to release the information if the user doesn’t make the payment within 24 hours. There is no evidence that the malefactors actually have access to the data, or if they can actually follow through with their threats.

sponsored by
sponsored by