Cybercriminals see the Coronavirus pandemic as a way to expand their horizons.
In the past week, Malwarebytes discovered multiple email scams that prey on the fear, uncertainty, and confusion regarding COVID-19, the illness caused by the novel coronavirus. With no vaccine yet developed, and with much of the world undergoing intense social distancing measures and near-total lockdown procedures, threat actors are flooding cyberspace with emailed promises of health tips, protective diets, and, most dangerously, cures. Attached to threat actors’ emails are a variety of fraudulent e-books, informational packets, and missed invoices that hide a series of keyloggers, ransomware, and data stealers.
On March 14, Twitter user @dustyfresh published a web tracker that found 3,600 coronavirus- and COVID-19-related hostnames that sprung up in just 24 hours.
On March 17, security researcher and python developer @sshell_ built a tool, hosted by the team at ThugCrowd, that provides real-time scans for potentially malicious, coronavirus-related domains.
Further, RiskIQ reportedly tracked more than 13,000 suspicious, coronavirus-related domains last weekend, and more than 35,000 domains the next day, too.
Malwarebytes has spotted many scam emails in the wild.
The cybresecurity firm found phising emails sent by threat actors impersonating the World Health Organization (WHO). One campaign, which pushed a fake e-book to victims, delivered malicious code for a downloader called GuLoader.
“GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data. Stolen data is sent back to a command and control server maintained by the threat actors.”
This GuLoader scam is just one of many in which threat actors posed as WHO professionals as a way to trick victims into downloading malicious attachments.
On March 18, Malwarebytes uncovered an email campaign that pushed victims into unwittingly downloading an invasive keylogger called Agent Tesla. The keylogger, which experienced a reported 100 percent increase in activity across three months in 2018, can steal a variety of sensitive data.
The Agent Tesla campaign that Malwarebytes tracked on Wednesday involved an email with the subject line: Covid19″ Latest Tips to stay Immune to Virus !!
The email came to individuals’ inboxes allegedly from the WHO, with a sender email address of “firstname.lastname@example.org.”
Malwarebytes also found another that mirrored its tactics and payload.
The second Agent Tesla scam arrives in individuals’ inbox with the email subject line “World Health Organization/Let’s fight Corona Virus together”
Finally, Malwarebytes found a possible WHO impersonator pushing the NetWire Remote Access Trojan (RAT). RATS can allow hackers to gain unauthorized access to a machine from a remote location.
Most of the coronavirus scams spotted online are examples of malspam—malicious spam email campaigns that cross the line from phony, snake-oil salesmanship into downright nefarious malware delivery.
While coronavirus might have brought out the worst in cybercriminals, it’s also bringing out the best across the Internet. This week, a supposed “Covid19 Tracker App” infected countless users’ phones with ransomware, demanding victims pay $100 to unlock their devices or risk a complete deletion of their contacts, videos, and pictures. After news about the ransomware was posted on Reddit, a user decompiled the malicious app and posted the universal passcode to defeat the ransomware. The passcode was then shared on Twitter for everyone to use.