Cybercriminals tend to exploit topics that are in the news, hoping to entrap people interested in or worried about a certain timely subject. With the coronavirus top of mind, this has become an area ripe for exploitation. Attackers are deploying phishing emails, ransomware, and malicious software with a coronavirus hook to take advantage of people concerned about the virus. But there are ways to protect yourself from this type of malware, as described by Cybereason.
In a blog post published on Wednesday entitled “Just Because You’re Home Doesn’t Mean You’re Safe,” Cybereason discussed the different types of coronavirus-themed malware and how and where they’re being used. Though exploiting the theme of coronavirus is a new tactic, criminals have been distributing well-known types of malware, including Emotet, RemcomRAT, ParallaxRAT, HawkEye, TrickBot, and Agent Tesla.
One of the most popular types of attacks found by Cybereason’s Nocturnus team has been a spear phishing campaign that employs coronavirus-themed phishing emails with malicious attachments. When the virus first started to expand in China, most of these malicious emails and files originated from China and targeted Chinese citizens.
As the virus began to spread outside of China, the number of malicious files jumped, originating from other countries and affecting people in Japan, South Korea, and Europe. Now, as China is starting to recover from the virus and countries such as Italy are being hit hard, the malware campaigns are targeting Italian citizens.
As people want to learn where and how the virus is spreading, cybercriminals are trying to direct them to coronavirus maps that actually distribute malware. In one example, such a map hides a piece of malware known as the Azorult infostealer that’s downloaded to the person’s computer. This malware steals sensitive information, which is captured by the attacker.
As more people are working from and staying at home, cybercriminals are also deploying fake VPN apps that try to trick users into downloading and installing malware. In one case, the Cybereason Nocturnus team discovered a fake website that claims to offer legitimate VPN installers. But if you attempt to download one of these apps, you’re redirected to a different site that tries to infect you with malware.
Cybercriminals have even been targeting hospitals and research labs, an alarming trend as many of these facilities are dealing with coronavirus patients or working on coronavirus treatments. In one example, a ransomware campaign hit the University Hospital Brno in the Czech Republic. This university maintains one of the largest COVID-19 research labs in the country. But the ransomware attack forced its IT network to shut down, which affected other departments.
To better protect yourself and your organization against coronavirus-themed malware, Cybereason offers the following recommendations:
- Be careful. To significantly reduce the likelihood of falling victim to a phishing attack, it is best to be careful while browsing online and checking email. Check the authenticity of the sender for any email you download information from, and check if the content makes sense to you. If there is any doubt, do not click on it and report it to your security team immediately.
- Watch out for shortened links. If you have any doubt about the validity of a link, open a new browser window and type the URL into the address bar. Be sure to examine the URL and make sure it is authentic.
- Be wary of emails asking for confidential information. Emails that ask for information like credentials, credit card information, and other sensitive data are usually not legitimate. Legitimate organizations, including and especially banks, will never request sensitive information via email and will always redirect you to a secure website or other channels.
- Only download files from trusted websites. Be sure to double check that a website you are using is legitimate and trusted. To download specific VPNs, search for the company’s official website and install directly from there. Avoid downloading cracked versions, since they are usually bundled with other software or malware and can cause damage to the machine.
“At this point, there is still uncertainty around the coronavirus: when it will end, how fast it is currently spreading,” Cybereason said in its report. “This is causing a great deal of concern around the world, and especially in Europe, Iran, and the USA, which are the hardest hit at the moment. We suspect that phishing campaigns that leverage this pandemic will continue to be high, especially in areas where the population is most affected by the virus.”