Developing Story: COVID-19 Used in Malicious Campaigns

Latest update on April 2, 2020. Originally published on March 06, 2020. Former Title: Coronavirus Used in Spam, Malware File Names, and Malicious Domains

COVID-19 is being used in a variety of malicious campaigns including email spamBEC, malware, ransomware, and malicious domains.  As the number of those afflicted continue to surge by thousands, campaigns that use the disease as a lure likewise increase. Trend Micro researchers are periodically sourcing for samples on COVID-19 related malicious campaigns. This report also includes detections from other researchers.

The mention of current events for malicious attacks is nothing new for threat actors, who time and again use the timeliness of hot topics, occasions, and popular personalities in their social engineering strategies.

Update as of April 2

Trend Micro Research has continued to find more phishing websites using the terms “coronavirus” or “COVID- 19” to trap users. Malicious actors are pretending to be legitimate organizations in an effort to collect valuable personal information. Here are a few examples of the different guises malicious sites take on to phish for data:

Figure 1

Figure 1. Fake COVID-19 safety portal from the World Health Organization (WHO)

Figure 2

Figure 2. Fake Center for Disease and Prevention waitlist

Figure 3

Figure 3. Fake Canada/COVID-19 Emergency fund

The following have already been blocked and categorized as phishing sites.

  • adaminpomes[.]com/em/COVID-19/index-2[.]php
  • mersrekdocuments[.]ir/Covid/COVID-19/index[.]php
  • bookdocument[.]ir/Covid-19/COVID-19/index[.]php
  • laciewinking[.]com/Vivek/COVID-19/
  • teetronics[.]club/vv/COVID-19/
  • glofinance[.]com/continue-saved-app/COVID-19/index[.]php
  • starilionpla[.]website/do
  • ayyappantat[.]com/img/view/COVID-19/index[.]php
  • mortgageks[.]com/covid-19/
  • cdc[.]gov.coronavirus.secure.portal.dog-office.online/auth/auth/login2.html

Malicious actors are also using COVID-19 or coronavirus-related names in the titles of malicious files to try and trick users into opening them. One example is Eeskiri-COVID-19.chm (“eeskiri” is Estonian for rule), which is actually a keylogger disguised as a COVID-19 help site. If unpacked, it will gather a target’s credentials, set up the keylogger, and then send any gathered information to maildrive[.]icu.

Figure 4

Figure 4. A disguised file that unloads a keylogger onto a victim’s system

We also parsed data from Trend Micro's Smart Protection Network and found more information about the variety of threats using COVID-19 to manipulate targets. As seen in the image below, spam is the main offender. Almost 70% of all the threats leveraging the virus were spam messages. 

covid 19 spread

Map of threats using COVID-19



Types of Threats Using COVID-19

Spam

Many aspects of daily work, from meetings to presentations and collaborative tasks, have moved online because of quarantine restrictions affecting offices across the globe. As users adapt to new methods of working, they should be wary of cybercriminals using popular online tools, sharing software, and file attachments in their scams. Our Email Reputation Services team found coronavirus-related emails with malicious attachments sent to users as early as February 2020.

Early COVID-19 related malicious email

Now there are ongoing business email compromise (BEC) scams that use the disease as a hook. BEC schemes usually work by tricking targets into transferring money to a criminal posing as someone from within the same company. The email below uses the ongoing health crisis to push for urgent action.

Example of a BEC email using COVID-19

We also have detected emails claiming to be relief or health organizations asking for donations in bitcoin. The emails were sent by a group claiming to be “COVID19Fund,” which is supposedly associated with legitimate health organizations. They ask for aid and provide a cryptocurrency wallet where people can donate.

Text from scam email asking for aid for the World Health Organization

Trend Micro researchers also acquired email samples sent to and received from all over the globe, including countries such as the U.S., Japan, Russia, and China. Many of the emails, purportedly from official organizations, contain updates and recommendations connected to the disease. Like most email spam attacks, they also include malicious attachments.

One of the samples used the email subject “Corona Virus Latest Updates” and claimed to come from the Ministry of Health. It contained recommendations on how to prevent infection and came with an attachment that supposedly contains the latest updates on COVID-19 but actually carried malware.

COVID-19 related email spam purportedly from the Ministry of Health

Many of the spam emails were related to shipping transactions, either postponement due to the spread of the disease or one that provides a shipping update. One email informed about shipping postponement. The attachment, supposedly containing the details of the new shipping schedule, bears malware. The email is assumed to come from Japan, and included details written in Japanese (masked in the screenshot).

COVID-19 related email spam about a shipping postponement

There were also other samples detected in foreign languages such as Italian and Portuguese. The email in Italian was about important information about the virus, while the email in Portuguese discussed a supposed vaccine for COVID-19.

COVID-19 related email spam in Italian

COVID-19 related email spam in Portuguese

Trend Micro researchers encountered an email spam sample targeting China and Italy that mentioned a cure for COVID-19 in the email subject as a lure for downloading the malicious attachment. Further inspection revealed that  the payload sample from the attachment is HawkEye Reborn, a newer variant of the information-stealing HawkEye trojan. The file is a heavily obfuscated AutoIT script compiled into an executable. This script will then inject malicious code to RegSvcs.exe. Dumping the injected code will yield a .NET executable that is also packed using ConfuserEx. Part of the decrypted configuration of the HawkEye sample includes the email address and mail server where it will send its exfiltrated data.

HawkEye Reborn COVID-19 email spam

Other samples of email spam targeting Italy were also detected by Trend Micro researchers. This time, mentions of the disease were not found in the email subjects, but in the URL. The subject instead contained the word “Fattura” (Italian for “invoice”), the invoice number, and its supposed date. The emails had attachments that contain malware, which executes a PowerShell command that will download a file from a URL related to COVID-19. The URL is hxxps://recoverrryasitalycovid-19.xyz/over

Upon further investigation, it was found that the malware used Evil Clippy, a tool for creating malicious MS Office Documents, to hide its macro.

Italian email spam connected to a URL related to COVID-19

And as Italy remains one of the countries most affected by the COVID-19, threat actors also continued to attack users with another spam campaign that we detected on March 20, 2020. Trend Micro researchers detected over 6,000 events of the spam.

Both the email subject and body are written in Italian. The subject translates to “Coronavirus: Important info on precautions.” In the email body, the sender claims that the attachment is a document prepared by the World Health Organization (WHO), and strongly advises the readers to download the attached compromised Microsoft Word file. The malicious file contains a trojan.

Sample of spam targeting users in Italy 

The document contains the following message details luring users to enable macro content:

Attachment sample

Malicious websites

Researchers reported two websites (antivirus-covid19[.]site and corona-antivirus[.]com) promoting an app that can supposedly protect users from COVID-19. The website antivirus-covid19[.]site, reported via the Malwarebytes’ blog, is now inaccessible. However, the website corona-antivirus[.]com, reported via the MalwareHunterTeam’s twitter account, is still active up to now.

The websites claim that their app, named “Corona Antivirus,” is a result of the work of scientists from Harvard University. Installing the app will infect the system with BlackNET RAT malware, which will then add the infected devices to a botnet. Through the botnet, threat actors can launch DDoS attacks, upload files to the device, execute scripts, take screenshots, harvest keystrokes, steal bitcoin wallets, and collect browser cookies and passwords.

The US Department of Justice (DOJ) filed a temporary restraining order against the fraudulent website, coronavirusmedicalkit[.]com. The website is supposedly selling COVID-19 vaccine kits approved by WHO. However, there are no WHO-approved legitimate COVID-19 vaccines available in the market yet.

The bogus website requests US$4.95 for shipping. Users were requested to enter their credit card information to proceed with the transaction. The websites have since been taken down.

There has been a notable increase in domain names using the word “corona” has also been observed by Bit Discovery. Trend Micro researchers confirmed the following domains as malicious:

  • acccorona[.]com
  • alphacoronavirusvaccine[.]com
  • anticoronaproducts[.]com
  • beatingcorona[.]com
  • beatingcoronavirus[.]com
  • bestcorona[.]com
  • betacoronavirusvaccine[.]com
  • buycoronavirusfacemasks[.]com
  • byebyecoronavirus[.]com
  • cdc-coronavirus[.]com
  • combatcorona[.]com
  • contra-coronavirus[.]com
  • corona-armored[.]com
  • corona-crisis[.]com
  • corona-emergency[.]com
  • corona-explained[.]com
  • corona-iran[.]com
  • corona-ratgeber[.]com
  • coronadatabase[.]com
  • coronadeathpool[.]com
  • coronadetect[.]com
  • coronadetection[.]com

A fake government website has been spotted luring users with the promise of aid or relief. The image below shows the domain uk-covid-19-relieve[.]com imitating legitimate "gov.uk" sites. It will ask for personal information and collect users’ bank account credentials if they enter a correct postcode.

Fake UK government relief sites

Fake UK government relief sites Virus-related domains hosting malicious files are also still active. The site hxxps://corona-map-data[.]com/bin/regsrtjser346.exe loads the DanaBot banking trojan, which is capable of stealing credentials and hijacking infected systems.

Another recent example is hxxp://coronaviruscovid19-information[.]com/en. The site encourages you to download a mobile application called “Ways To Get Rid of Coronavirus,” promising a cure.

Website promoting fake app

Malicious actors are also aware that many users across the globe are quarantined and spending more time looking for entertainment online. They use fake streaming sites, or sites offering entertainment promotions to appeal to users. We spotted the domain hxxps://promo-covid19-neftlix[.]ml, which is actually a phishing site that steals Netflix account credentials. As always, users should always be mindful of websites they regularly use, and to keep credentials to online accounts as private as possible.

Another domain we noted was hxxps://paypaluk-coronavirussupport.com, a fake website that possibly targets UK PayPal users’ credentials. The site’s URL format is a red flag that it’s potentially malicious, with a hint that the domain does not legitimately belong to PayPal. Users should also check such sites by looking at the company’s official sites or social media for any evidence that they have new domains up and running.

Based on the URL’s construction, the target company’s name is appended with a non-legitimate PayPal domain to make it appear more convincing. This is the same technique that was used for hxxps://promo-covid19-neftlix[.]ml.

Malware

An interactive COVID-19 map was used to spread information-stealing malware, as revealed by Brian Krebs. The map, which was created by Johns Hopkins University, is an interactive dashboard showing infections and deaths. Several members of Russian underground forums took advantage of this and sold a digital COVID-19 infection kit that deploys Java-based malware. Victims are lured to open the map and even share it.

BEC

A Business Email Compromise (BEC) attack mentioning COVID-19 was reported by Agari Cyber Intelligence Division (ACID). The attack, a continuation of an earlier BEC campaign, came from Ancient Tortoise, a cybercrime group behind multiple BEC cases in the past.

The threat actors first target accounts receivables into forwarding aging reports (accounts receivable reports). Then, while posing as legitimate companies, they use customer information in these reports to send emails to inform customers of a change in banks and payment methods due to COVID-19.

Ransomware

A new ransomware variant called CoronaVirus was spread through a fake Wise Cleaner site, a website that supposedly promoted system optimization, as reported by MalwareHunterTeam. Victims unknowingly download the file WSGSetup.exe from the fake site. The said file acts as a downloader for two types of malware: The CoronaVirus ransomware and password-stealing trojan named Kpot. This campaign follows the trend of recent ransomware attacks that go beyond encrypting data and steal information as well.

Another attack that is presumed to be caused by ransomware has hit a University Hospital Brno in the Czech Republic, a COVID-19 testing center. The hospital’s computer systems had been shut down due to the attack, delaying the release of COVID-19 test results.

Threat actors also launched a new phishing campaign that spreads the Netwalker ransomware, according to MalwareHunterTeam from reports on Bleeping Computer. The campaign uses an attachment named “CORONAVIRUS.COVID-19.vbs” that contains an embedded Netwalker ransomware executable.

Upon execution of the script, the EXE file will be saved to %Temp%\qeSw.exe. Launching this file will lead to the encryption of other files on the computer. Victims will then find a ransom note with instructions on how to pay the ransom via a Tor payment site.

Mobile Threats

A mobile ransomware named CovidLock comes from a malicious Android app that supposedly helps track cases of COVID-19. The ransomware locks the phones of victims, who are given 48 hours to pay US$100 in bitcoin to regain access to their phone. Threats include the deletion of data stored in the phone and the leak of social media account details. A look at their cryptocurrency wallet shows that some victims have already paid the ransom on March 20. The final balance at the time of writing is 0.00018096 BTC.

There are also reports of malicious Android apps offering safety masks to targets worried about COVID-19. Unfortunately the malicious app actually delivers an SMSTrojan that collects the victim's contact list and sends SMS messages to spread itself. So far, the app seems to be in the early stages of development and is simply trying to compromise as many users as possible.

Browser Apps

A new cyberattack has been found propagating a fake COVID-19 information app that is allegedly from the World Health Organization (WHO). Bleeping Computer reports that the campaign involves hacking routers’ Domain Name System (DNS) settings in D-Link or Linksys routers to prompt web browsers to display alerts from the said apps.

Users reported that their web browsers automatically open without prompting, only to display a message requesting them to click on a button to download a “COVID-19 Inform App.” Clicking on the button will download and install the Oski info stealer on the device. This malware variant can steal browser cookies, browser history, browser payment information, saved login credentials, cryptocurrency wallets, and more.

Sextortion Scam

A sextortion scheme reported by Sophos demands US$4,000 in bitcoin, or else, they threaten to infect the victim’s family with COVID-19. The victims receive emails informing them that the threat actors know all their passwords, their whereabouts, and other details relating to their personal activities. The email senders threaten to release the data if the victim doesn’t make the payment in 24 hours. There is no indication that the threat actors actually have access to the data, or if they can actually follow through with their threats.

Trend Micro's Email Services Reputation detected an extortion scam similar to the type security firm Sophos found on March 19. It seems that cybercriminals have now begun threatening targets with exposure to COVID-19 if their demands are not met.

The image below shows the scammer using scare tactics in an attempt to manipulate the user. The hackers claim that they have somehow infiltrated the user's system and can send email from the user's own account. In reality, the spam email is drafted so that the "From," or sender, is the same as the recipient of the email, so if the target replies they get the same email again. This adds to the fear that the hacker has somehow broken into their system and has personal information about their whereabouts. The hacker then demands US$500 or he will expose the target to the virus.

COVID-19 being used for extortion

COVID-19 in the Underground

Underground forums and cybercriminal marketplaces operate in the same way legitimate selling spaces operate: Suppliers pay attention to world news and markets, and make money by catering to market demand.

A popular underground forum created limited coronavirus awards where people can purchase a toilet paper or “coronavirus” icon to add to the user’s profile

We usually see themed malware after natural disasters or major world events, and it’s no different for the current coronavirus (COVID-19) pandemic. We’re seeing multiple listings for phishing, exploits, and malware linked to the virus in underground forums. One user (pictured below) is asking for US$200 for a private build of a coronavirus-themed phishing exploit and an additional US$700 for a Code Sign certificate.

Coronavirus-themed phishing exploit sold on a Russian underground forum

The pandemic has changed consumer habits rapidly. People in multiple countries are struggling to find essential supplies, and toilet paper and face masks are in high demand. Trend Micro's Forward-looking Threat Research (FTR) team found that numerous underground forums are now selling items such as N95 masks, toilet paper, ventilators, thermometers, and patient monitors. We have seen posts offering N95 masks for US$5 each and toilet paper rolls for US$10. As stocks plunge, underground forum users have also been discussing if now is a good time to invest in bitcoins. The value of bitcoins have dropped from US$8914 (February 27) to US$6620 (March 27) in a month.

Underground seller offering 3M N95 masks

Forum post offering N95 masks

Forum post offering toilet paper rolls

Thread on whether this is a good time to invest in cryptocurrency

Some sellers are using “coronavirus” as a keyword in the title or body of their advertisements to increase sales. They are offering virus-themed sales or even looking for partners for joint ventures. We even found some users discussing how to use the virus to their advantage for social engineering scams. For example, to get around verification requests for large transactions, the user would mention that the money being transferred was for a family member affected by the virus or that a lockdown prevented them from completing the transaction in person.

Darkweb marketplace offering a “coronavirus sale” on marijuana

Seller looking for a joint venture related to Coronavirus

In many countries, people have been asked to stay home, businesses have closed, and unemployment has increased. Like everyone else, underground sellers have seen their revenues drop since fewer people are spending money. Sellers on forums are complaining that exit scams have increased too. Underground businesses depending on money mules and dropshipping have also been affected as the “mules” are unavailable or afraid of catching the virus. A search on multiple forums returned many threads of people discussing how to prevent getting COVID-19, how to make hand sanitizer, how forum users are coping with city lockdowns, as well as general concerns about the virus.

Scope of COVID-19 Threats

Data from our Smart Protection Network indicates that there are more than 300,000 threats across email, URL, and file. The data below represents information collected from January 1, 2020 to March 27, 2020. 

Malicious URLs, accounting for more than 22,000 threats, span the range of phishing-related URLs, scams, and those that dump malware (adware, ransomware to name a few). In the chart below we list top ten countries where users have inadvertently accessed malicious URLs with “covid” or “ncov” or “coronavirus” in its strings. These URLs are currently blocked by Trend Micro.

Top countries hosting COVID-19 related malicious URLs

Types of malicious URLs

A large portion of these threats are related to spam email, as indicated by our threat samples above. In the chart we see the top countries being hit with malicious email spam connected to COVID-19. The number of spam corresponds to spam emails with the word "coronavirus" in the subject.

Top countries targeted by spam emails connected to COVID-19

The files detected are malicious files that use "COVID" or "COVID19" in its filename. As of this writing, these files belong to various malware families. Most are Trojans, and only a handful are ransomware-related files. This data reflects findings from March 1-27 2020. This will be updated as soon as January and February data becomes available.

Top countries with malicious file detections

*Note: The detection numbers are based on the coverage of our Smart Protection Network, which has limited global distribution. It was previously stated that the data represents countries hosting these malicious URLs. The correct statement is that this data represents countries where users have accessed malicious URLs.

Defense Against these Threats

Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free™? Business Security detect and block the malware and the malicious domains it connects to.

As an added layer of defense, Trend Micro™ Email Security thwarts spam and other email attacks. The protection it provides is constantly updated, ensuring that the system is safeguarded from both old and new attacks involving spam, BEC, and ransomware. Trend Micro™ InterScan™ Messaging Security provides comprehensive protection that stops inbound threats and secures outbound data. It blocks spam and other email threats.

A multilayered protection is also recommended for protecting all fronts and preventing users from accessing malicious domains that could deliver malware.

Indicators of Compromise for Malware Files

Trend Micro researchers were also able to detect malware with “corona virus” in their filename, listed below:

File Name
SHA 256 Trend Micro Pattern Detection Trend Micro Predictive Machine Learning Detection
CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm ab533d6ca0c2be8860a0f7fbfc7820ffd
595edc63e540ff4c5991808da6a257d
Trojan.X97M.CVE201711882.THCOCBO N/A
CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm 17161e0ab3907f637c2202a384de67fca
49171c79b1b24db7c78a4680637e3d5
Trojan.X97M.CVE201711882.THCOCBO Downloader.VBA.TRX.XXVBAF01FF006
CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm 315e297ac510f3f2a60176f9c12fcf9
2681bbad758135767ba805cdea830b9ee
Trojan.X97M.CVE201711882.THCOCBO Downloader.VBA.TRX.XXVBAF01FF006
CoronaVirusSafetyMeasures_pdf.exe c9c0180eba2a712f1aba1303b90cbf12c11
17451ce13b68715931abc437b10cd
TrojanSpy.Win32.FAREIT.UHBAZCLIZ Troj.Win32.TRX.XXPE50FFF034
CoronaVirusSafetyMeasures_xls.exe 29367502e16bf1e2b788705014d0142
d8bcb7fcc6a47d56fb82d7e333454e923
TrojanSpy.Win32.FAREIT.SMTHC.hp N/A
LIST OF CORONA VIRUS VICTIM.exe 3f40d4a0d0fe1eea58fa1c71308431b5c2c
e6e381cacc7291e501f4eed57bfd2
Trojan.MSIL.AGENTTESLA.THCOCBO N/A
POEA HEALTH ADVISORY re-2020 Novel Corona Virus.pdf.exe 3e6166a6961bc7c23d316ea9bca87d82
87a4044865c3e73064054e805ef5ca1a
Backdoor.Win32.REMCOS.USMANEAGFG Troj.Win32.TRX.XXPE50FFF034
POEA Advisories re-2020 Novel Corona Virus.2.pdf.exe b78a3d21325d3db7470fbf1a6d254e23d34
9531fca4d7f458b33ca93c91e61cd
Backdoor.Win32.REMCOS.USMANEAGFE Troj.Win32.TRX.XXPE50FFF034

Other researchers are seeing cybercriminals take advantage of coronovirus maps and dashboards. Researchers from Reason Labs have found fake websites that lead the download and installation of malware. The downloaded malware are detected by Trend Micro as the following:

SHA 256 Trend Micro Pattern Detection Trend Micro Predictive Machine Learning Detection
2b35aa9c70ef66197abfb9bc409952897f
9f70818633ab43da85b3825b256307
TrojanSpy.Win32.AZORULT.UJL Troj.Win32.TRX.XXPE50FFF034
0b3e7faa3ad28853bb2b2ef188b310a676
63a96544076cd71c32ac088f9af74d
TrojanSpy.Win32.CLIPBANKER.BK Troj.Win32.TRX.XXPE50FFF034
13c0165703482dd521e1c1185838a6a12e
d5e980e7951a130444cf2feed1102e
Trojan.Win32.CRYPTINJECT.SMB Troj.Win32.TRX.XXPE50FFF034
fda64c0ac9be3d10c28035d12ac0f63d85
bb0733e78fe634a51474c83d0a0df8
TrojanSpy.Win32.CLIPBANKER.SMMR Troj.Win32.TRX.XXPE50FFF034
126569286f8a4caeeaba372c0bdba93a9b0
639beaad9c250b8223f8ecc1e8040
Trojan.Win32.CRYPTINJECT.SMB Troj.Win32.TRX.XXPE50FFF034

Indicators of Compromise for HawkEye Reborn spam 

SHA-256 Trend Micro Pattern Detection
0b9e5849d3ad904d0a8532a886bd3630c4eec3a6faf0cc68658f5ee4a5e803be Trojan.W97M.POWLOAD.THBBHBO


Indicators of Compromise for spam targeting Italy

SHA-256 Trend Micro Pattern Detection
6cc5e1e72411c4f4b2033ddafe61fdb567cb0e17ba7a3247acd60cbd4bc57bfb Trojan.X97M.POWLOAD.THCAOBO
7c12951672fb903f520136d191f3537bc74f832c5fc573909df4c7fa85c15105 Trojan.PS1.POWLOAD.JKP

Indicators of Compromise of spam targeting Italy (March 20)

SHA-256 Trend Micro Pattern Detection
dd6cf8e8a31f67101f974151333be2f0d674e170edd624ef9b850e3ee8698fa2 Trojan.W97M.JASCREX.BSUB

Indicators of Compromise for Netwalker ransomware campaign

Attachment Filename SHA-256 Trend Micro Pattern Detection
CORONAVIRUS.COVID-19.vbs 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967 Ransom.VBS.MAILTO.AA

Indicators of Compromise for DanaBot banking trojan

Attachment Filename SHA-256 Trend Micro Pattern Detection
regsrtjser346.exe 44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757 TrojanSpy.Win32.DANABOT.LR

Indicators of Compromise for keylogger files

Attachment Filename SHA-256 Trend Micro Pattern Detection
Eeskiri-COVID-19.chm 6117a9636e2983fb087c9c9eec2a3d2fbadb344a931e804b2c459a42db6d2a68 Trojan.HTML.KEYLOGGER.THDOABO
~tmp6.cab e02aedeea6c8dc50a5ff95d37210690daeeef172b2245e12fcf0913a492fd0ac Trojan.Win32.KEYLOGGER.THDOABO



HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.