When robots get sick: Hackers spread coronavirus online

Author : Ksenia Tsyvirko

Source : 112 Ukraine

Cybersecurity companies report daily on new ransomware programs and remote access trojans that hackers are distributing in the wake of the coronavirus hype
23:13, 31 March 2020

Open source

Cybersecurity companies report daily on new ransomware programs and remote access trojans that hackers are distributing in the wake of the coronavirus hype. The threat can lie anywhere: in an email from the World Health Organization with recommendations for combating Covid-19, on a site with an online map of the spread of the virus, and even in an online store selling medical masks and antiseptics. Hackers use not only the carelessness of a simple user on the Internet, but also manipulate their fear of picking up a dangerous virus.

In conditions of quarantine and remote work, not only home PCs but also corporate networks of companies are at risk; separate hacker groups use viral chaos for state intelligence and attacks on medical facilities. At the same time, it can be an order of magnitude easier to defend against infection with a biological coronavirus than from its byte varieties: any antivirus is powerless before social engineering methods.

When the first reports of infected with a new type of coronavirus appeared in mid-December last year, people around the world were discussing with interest its alleged source of distribution - the spontaneous market in the Chinese city of Wuhan. In the wholesale market for animals and seafood, you could find any exotic: fried snakes and bats, peacocks and giant salamanders, rats and wolf cubs. The gastronomic preferences of the Chinese ceased to be an object of idle curiosity as soon as Wuhan was quarantined in January, and WHO recognized the spread of Covid-19 as a public health emergency of international concern.

Related: Ukraine's cyber police investigates recent hacking into Burisma, Kvartal 95

A new infection has long crossed the borders of the Middle Kingdom, and hackers took advantage of this - the first victim was the computers of the Japanese. In late January, letters began to come to them from fake public health centers in Japan and the social welfare services for people with disabilities, in which they talked about suspected new cases of infection with coronavirus with an attached Microsoft Word file describing the relevant preventive measures. However, the seemingly innocent document contained macros (a set of user instructions with a given command to execute them) that activated the Emotet Trojan download process. It allows installing and removing other malicious programs (for example, ransomware viruses) at any time and, after gaining access to the list of email addresses, can further spread itself through spam mailing, combining with other infected PCs in a botnet: in the hands of attackers the network becomes a tool for mining cryptocurrencies or targeted DdoS attacks.

At the same time, an inexperienced in hacking tricks, the user may not even be aware of the infection of his PC, since some viruses work quietly and may not make themselves felt for a long time. “About 80% of computers around the world are infected with something. And hackers, as a rule, simply sell the stolen data and the botnet itself,” says Dmytro Petrashuk, cybersecurity director at IT Specialist company.

Most infections occur through spam mailings and phishing sites, which the user mistakenly accepts as originals: an email address can differ by just one sign (for example, PayPal and PayPa1) or a domain (instead of .com - .org).

Since the beginning of February, the popularity of domain names that contain the words coronavirus and Covid-19 has been growing, and RiskIQ experts observed a special surge after the pandemic: on March 15, 13,500 such addresses were registered, and the next day, there were already 35,000 of them.

According to various expert estimates, up to 10% of coronavirus domain names contain potential threats to the PC. Many of them end up in blacklists of search engines and browsers, but this process cannot be stopped already: on average 2,000 new similar addresses appear daily.

The specialized Maltiverse service has identified over 130 compromised links, executable files and various documents that contain the words "coronavirus" and "COVID-19" in their name and are a source of infection. For the first quarter of 2020, Trend Micro reported on 199,400 spam emails and 198,000 malware sent worldwide, and their number will continue to grow steadily.

Beyond the firewall

When countries began to close their borders on entry and exit, hacker victims already began to receive spam mail asking them to click on a phishing link to clarify data on flights and booked hotel rooms: attackers thus stole credentials from inattentive users.

Related: Ukraine's Security Service neutralized over 480 cyberattacks on government bodies in 2019

But with the announcement of the pandemic, their “battle” tactics changed: virus spamming takes place under the fake mask of reputable senders, which are the Centers for Disease Control and Prevention (CDC), the World Health Organization (WOH), the Australian Medical Association (AMA) and the ministries of health in different countries.

Phishing emails offer you to get updated statistics on the spread of coronavirus, medical research in this regard and recommendations for the prevention of the disease. Emphasizing the importance of information, the messages suggested urgent familiarization with the attachment: it could be a ready-made executable file (for example, Coronavirus Disease (Covid-19) CURE.exe) or a less suspicious text document or archive (for example, CoronaVirusSafetyMeasures_pdf).

Among others, the Netwalker ransomware virus, encrypting system files and requiring a ransom, has been spreading in this way since early February. According to expert estimates, he hit 10% of all organizations in Italy, and also attacked the logistics company Toll Group, the website of the Champaign-Urbana public health district in Illinois, Brno University Hospital in the Czech Republic and many Spanish hospitals. However, studies of cybersecurity companies show that the infection with the "computer" coronavirus occurs everywhere around the world, and it also has its own varieties.

Recently, a galaxy of malicious software has been supplemented by the “proprietary” CoronaVirus, which in mid-March was discovered by MalwareHunterTeam experts on the WiseCleaner phishing site, which provides useful utilities and software. After downloading, the ransomware virus encrypts the data and renames the C: drive in CoronaVirus and locks the screen when the computer restarts, and it requires a ransom of 0.008 bitcoin (about $ 50) for data recovery.

Attacks on the WHO computer system during the epidemic doubled, although they were unsuccessful. On March 15, cybercriminals attempted to discredit coronavirus control measures and attacked the US Department of Health. And the hacker group Maze infected the ransomware virus with a network of British research firm Hammersmith Medicines Research, which set about developing a vaccine against Covid-19.

Related: Ukraine shows solidarity with Georgia in condemning Russia's cyber attacks

War of the Worlds

However, during a pandemic, hacker groups act not only in the name of self-proclaimed humanistic mottos but also in the interests of state intelligence services. Thus, cybersecurity experts at Malwarebytes Corporation reported on March 16 that a Pakistan-sponsored hacker group APT36 on behalf of the Indian Ministry of Health sends spam with the Crimson RAT remote access Trojan, which is supposed to steal credentials and information about system parameters from computers in Indian government agencies.

Other incidents are mentioned in reports on global cyber threats: North Korean hacker group Kimsuky arranged a similar spam mail for South Korean officials in late February, and the Chinese groups Vicious Panda and Mustang Panda for the government of Vietnam.

Ukraine also turned out to be a testing ground for hacker attacks, and, according to experts, they are very sophisticated. According to the cybersecurity company QiAnXin, Russian hacker groups Hades and TA 542 first took advantage of misinformation about the threat of coronavirus entering Ukraine. Messages appeared on the network about allegedly infected foreigners, which is why in some cities our compatriots began to block access to hospitals, and riots began in Novi Sanzhary (Poltava region). Against the background of general confusion and panic, hackers staged a spam mailing on behalf of the Public Health Center of the Ministry of Health of Ukraine with "the latest reliable data on coronavirus."

Pretty covers

However, the tricks of hackers are not limited to spam e-mail: victims are lured by new offers and services.

Perhaps the most unusual of them is the fake Corona Antivirus, which the computer does not cure for any viruses, but infects the BlackNET remote access Trojan. Malwarebytes experts found such a “surprise” on January 23 at the antivirus-covid19 [.] Site with a pretentious design: Corona Antivirus - World’s best protection.

In addition, Covid-19 online distribution maps with interactive statistics are known, during the interaction with which the PC becomes infected with the AzorUlt remote access trojan.

Related: Covid-19: Number of coronavirus cases in Ukraine reaches 549

For their hacker designs, attackers often use primitive methods of social engineering, manipulating simple human feelings.

Spam calling “Coronavirus: act today or all people will die” transfers the stunned user to the Microsoft phishing site, which requires logging in (that is, to “merge” their account to hackers via the fake login form).

At the same time, not only a PC but also a smartphone can become a victim of coronavirus: cybersecurity experts have repeatedly reported fake mobile applications that can notify you that coronavirus infected people are approaching or offer to buy an exclusive mask (for example, Coronavirus Finder, COVID 19 TRACKER, Coronasafetymask).

However, the phone is more protected against the formidable byte virus than a computer: firstly, as a rule, these applications are not available in the official GooglePlay market, but when you click on the corresponding link in the browser; secondly, something wrong can be suspected during the installation of the application, which gradually requests access to all new and new resources of the phone, trying to get administrator rights for the device. So, a banking ransomware Trojan, in the guise of a useful application, is trying to approach the rights of a screen lock - this is supposed to promptly notify the user about the approach of a coronavirus infected person. However, in reality, the smartphone at some point turns into a blocked useless "brick" with a demand for redemption. Cybersecurity experts also report how the malware was designed to spam across the entire contact book and spy through the camera and microphone.

Related: USA allocates $1.2 million to Ukraine for fight against coronavirus

"To protect your computer from infection, you should first use a different account without administrator rights (or create a user account with limited rights) so that you do not accidentally install malicious programs. In addition, a free admin account allows you to recover important data and not lose complete control over what is happening on the computer. In general, cybersecurity companies do not sit still: there is a constant struggle, so to speak, with hackers. by creating cyber defense tools, others are looking for ways to get around them, and so on all the time," Dmytro Petrashchuk advises.

Система Orphus

If you find an error, highlight the desired text and press Ctrl + Enter, to tell about it

see more