Malware Referencing Coronavirus

What Is It?

Since the first reports of coronavirus began emerging in early January 2020, it was guaranteed that cyber attackers would attempt to leverage the subject as part of the social engineering aspects of their attacks.

This is especially true now that coronavirus has altered the lives of billions of people in unprecedented ways.

Social engineering is the act of exploiting human psychology in order to gain a desired outcome. It is not exclusively limited to cyberattacks, though they are often mistakenly linked. In the case of attacks referencing coronavirus, attackers attempt to exploit potential victims’ understandable fears, concerns and heightened desire for news. Attackers are also aware that given the stresses and upheavals that the impact of coronavirus is having, potential victims may exercise less caution when reading their email and thus be more susceptible to basic social engineering techniques.

In fact, in many of the campaigns referencing coronavirus, only the social engineering component has evolved. The underlying malware used in these attacks were new variants of existing malware families that were already detected by BluVector’s patented Machine Learning Engine (MLE).

Emotet, Nanocore and Parallax in Spam

The Cisco TALOS team found malicious spam email campaigns attempting to spread variants of Emotet (Articles here: link, link, link, link, link, link, link, link, link, link) trojan, Nanocore RAT (Remote Access Trojan) and Parallax RAT. They also discovered a piece of destructive wiper malware where the filename translated into English was “coronavirus.exe.” Their research included a list of 90 publicly available sample files related to these campaigns. All of the samples were detected by BluVector’s MLE with regression testing showing a detection average of 31 months prior to their release.

Another, unrelated Emotet campaign using a coronavirus lure was associated with four publicly available files, which our BluVector MLE regression testing showed would also have been detected 31 months prior to their release.

Folding@Thome Campaign Offers Info-stealing Trojan

Proofpoint researchers discovered a new information and credential stealing trojan named “Redline Stealer,” which was being offered for sale on Russian underground forums. In early March, an email campaign pretended to be sent by the genuine distributed computing project Folding@home, though it was misspelt as Folding@Thome. In the email body, users were asked to put their unused computer processing power to help to fight coronavirus. Clicking the link resulted in the installation of Redline Stealer, which is capable of collecting sensitive data from browsers and other applications along with the downloading and running of files. Of the two publicly available samples, BluVector’s MLE detected both at an average of 29 months prior to their release.

APT36 Targeting India-based Government Entities

Researchers at Malwarebytes found a spear phishing email campaign they have attributed to the APT36 group, which is believed to be Pakistan-based and focused on attacking India-based government entities. The attached malicious documents claim to be a health advisory from the Indian government, but contain macros resulting in the installation of a variant of Crimson RAT. This malware creates a backdoor on infected systems and is used to extract credentials and exfiltrate data files. When regression testing was performed on the four publicly available samples related to this campaign, all were detected by BluVector’s MLE at an average of nine months prior to their release.

Remcos RAT Pretends to be Safety PDF

A submission to their free Yomi Hunter sandbox service, led researchers from Cybaze/Yoroi Zlab to a file with the clearly suspicious name of CoronaVirusSafetyMeasures_pdf.exe. They found this sample to be an obfuscated dropper for the Remcos RAT, one of its main functions being the logging of keystrokes, along with audio and video capture. Regression testing found the sample was detected by BluVector’s MLE at 74 months prior to its release.

Coronavirus Map Site Delivers AZORult

Researchers at Reason Security found a sample where attackers had weaponized an application that displays a map of global coronavirus infections. This application, while displaying the map, installs a variant of the AZORult information stealer in the background. AZORult is capable of extracting stored credentials, credit card number and other information, including cryptocurrency wallets. Regression testing found the six samples listed were detected by BluVector’s MLE at an average of 23 months prior to their release.

All Threat Reports