Morphisec Cybersecurity Blog

Malware Authors Playing on COVID-19 Fears to Achieve Their Goals

Written by Matthew Delman | April 1, 2020 at 1:15 PM

Malware authors worldwide have targeted the fear around COVID-19 as a way to further their goals. This isn’t really a new method of enticing people to download and run their malware; threat actors have always used disasters as a way to deliver their payloads. From that perspective, the COVID-19 pandemic is only the latest in a long line of disasters that threat actors--both financially motivated and state-sponsored--leverage to achieve their goals.

The attacks using COVID-19 as a hook run the proverbial gamut. There are phishing and spearphishing email campaigns, banking trojans, ransomware, and credential theft. These campaigns include state-sponsored hackers in Asia scraping legitimate content from government sources and sending out phishing emails to targets in East Asia, as well as malicious websites and ransomware attacks. In some cases, the malware campaigns even deliver accurate information about the virus’s spread!

COVID-19 Malware Comes in Many Forms

COVID-19 phishing and spearphishing campaigns kicked off in January with a campaign of spam emails designed to spread the Emotet trojan. GovInfoSecurity wrote that IBM X-Force researchers identified Emotet as the malware being delivered in that initial campaign, with malicious Microsoft Word documents targeting Japan. At the time, it looked like malware authors were focusing mainly on targets close to China--a logical move because the coronavirus hadn’t really spread beyond Asia at the time. Those emails appeared to come from a disability service provider local to Japan, which then discussed the spread of COVID-19 to the country.

The phishing campaigns have continued since then, with emails purporting to come from government sources like the World Health Organization and Centers for Disease Control and Prevention. Researchers from Sophos, Proofpoint, Kaspersky, and KnowBe4 have also spotted phishing campaigns leveraging COVID-19 messaging to convince concerned targets to open corrupted attachments and deliver malware.

In early March, a Trickbot campaign with targets in Italy started to proliferate. As with many coronavirus-related malware campaigns, this one took the form of a phishing email that looked like it came from a doctor at the World Health Organization. It directed recipients to read an attached Word document that supposedly included important precautions that should be taken to prevent the spread of COVID-19.

Although the WHO and the CDC are the most common organizations spoofed in the phishing emails, there are also campaigns that look like they come from an internal resource. In the case of one campaign, the threat actors send a phishing email addressed like it comes from an organization’s human resources department.

Phishing emails aren’t the only malware delivery vehicle. In February, researchers started seeing malicious websites purporting to share information about the spread of COVID-19. According to ZDnet reporting, these fake websites increased exponentially from early February to now; as of early March, there were thousands of malicious websites created every day. These websites peddle everything from coronavirus cures to, oddly, accurate information about the spread of the disease, and between March 14 and 18 alone more than 3,600 scam websites were created.

Just last week, ZDnet reported that hackers had broken into D-Link and Linksys routers to change the DNS settings and point unsuspecting routers to malicious servers. This particular group of threat actors used brute force attacks to guess the admin password and, once guessed, redirected the router to servers they control. The fact that threat actors are hacking routers to point people toward coronavirus-themed malware should be indicative of the scale of the threat facing corporations in an age when more people than ever are working remotely.

Threat actors have targeted everyone during the pandemic, including the United States Department of Health and Human Services, Brno University Hospital in the Czech Republic, and 10 distinct healthcare organizations in the United States struggling to respond to the flood of coronavirus cases. According to one report, fully 80 percent of the threat landscape is currently using COVID-19 as a hook to do everything from steal financial information to infect computers with ransomware.

Prevent COVID-19 Malware with IT Hygiene

Basic IT hygiene activities, such as checking user privileges and enforcing password guidelines, are critical in normal times. With so many employees working remotely as a result of the COVID-19 pandemic, taking steps to ensure IT hygiene on corporate technology infrastructure and home computers ie even more critical. This is in addition to deploying antivirus and a solution such as moving target defense to block advanced attacks.

As Ars Technica recently reported, the internet is practically drowning in COVID-19 malware. Zeus Sphinx’s operators have resurrected their malware to take advantage of the chaos, Ryuk’s owners have targeted 10 different healthcare organizations already stretched to the brink, and roughly two million tweets peddling dozens of conspiracy theories about the disease.

This is the environment in which IT and security teams must leverage IT hygiene to ensure that their remote employees are as secure as possible. Remote employees are particularly vulnerable to cyberattacks, especially because they must work outside the protections put in place within the enterprise. As a result, IT teams need to ensure that they provide critical security awareness training, deploy multi-factor authentication on all web services, and potentially even leverage a VPN to ensure remote workers securely access corporate systems.

The remote method of working isn’t going to go away any time soon, especially not while the COVID-19 pandemic continues. As such, IT teams must ensure they secure their remote employees with a combination of good IT practices, a good antivirus solution like Windows Defender AV, and moving target defense technology. Only then can they protect all the attack surfaces both inside and outside the corporate network.