Table of Contents:
- Threat 1: Fake Coronavirus-related Websites
- Threat 2: Coronavirus Ransomware hijacks computer files for Bitcoin
- Threat 3: Fake Covid-19 Maps infect devices to steal crypto and info
- Threat 4: KPot Infostealer extracts passwords and private keys
- Threat 5: Phishing emails: “Trickbot” fools Italian organizations
- Threat 6: Trojan Virus RAT infection via Chinese email
- Coronavirus Scams: Tips on how to avoid them
The rapidly escalating coronavirus pandemic caused a global meltdown this week on both traditional and cryptocurrency markets, wiping nearly $100B off the crypto market cap at one stage. As the world holds its breath and billions of people follow the latest developments online, unscrupulous hackers and cyber-criminals are once again using sophisticated malware, phishing and scam techniques to steal people’s money and crypto holdings.
Criminals are using the coronavirus chaos to set up phony Bitcoin donation channels, posing as representatives of the World Health Organization (WHO) and the U.S.’ Center for Disease Control and Prevention (CDC). They also use thousands of fake websites, maps, applications, program downloads, and email phishing campaigns in order to steal passwords, money, and cryptocurrencies, or hold user files to ransom.
Some of these threats are suspected to be the work of government spy groups in Russia, North Korea and China.
This has forced other countries, U.S. states and regulators like the SEC to issue investment scam warnings of their own. The European Central Bank (ECB) sent a letter to significant institutions on March 3rd to warn them to prepare contingency plans against these threats.
Luckily up until now, fraudsters have had little to no success receiving rewards in the form of cryptocurrency as a result. There are fears though that some of these malware-based attacks may be a smokescreen to obfuscate other malicious intentions.
Threat 1: Fake Coronavirus websites skyrocket
The security company Checkpoint issued a recent threat report on 5 March that warns against indiscriminately clicking on any coronavirus-related content. They found that cybercriminals are registering and building malicious websites and internet campaigns as fast as possible.
This is in order to cash in on the widespread panic and misinformation that is resulting in billions of current searches for updated information on coronavirus infection symptoms, rates, fatalities, incubation and quarantine measures.
According to the CheckPoint report:
“Since January 2020, there have been over 4,000 coronavirus-related domains registered globally. Out of these websites, 3 percent were found to be malicious and an additional 5 percent are suspicious…
The malicious rate of coronavirus-related domains is 50% higher than the overall rate of all domains registered over the same time period and even higher than recent seasonal themes such as Valentine’s day.”Checkpoint report on Covid-19 websites
On Twitter, the Malware Hunter Team has an excellent feed on current scam websites that are tricking users in the name of Covid-19.
Microsoft’s Security Intelligence account also provides fresh updates on coronavirus-related security threats:
Forbes also recently published this list of malicious websites and applications to avoid.
Threat 2: “CoronaVirus” Ransomware hijacks files for Bitcoin
The Malware Hunter Team (as well as Kaspersky researchers) have also uncovered a new ransomware threat that’s trying to cash in on the coronavirus mayhem.
The team found that a malicious website disseminated a new ransomware, “CoronaVirus” under the pretense of providing downloads of the system-optimizing application WiseCleaner.
When users download the fake applications, it activates a file, WSHSetup.exe that downloads the CoronaVirus Ransomware as well as the Kpot Infostealer trojan virus.
The CoronaVirus Ransomware, much like the ones found last year that targeted Fortnite users with “cheats”, encrypts the user’s computer and demands a payment in Bitcoin in order to restore access to the computer’s files and folders.
Threat 3: Fake Covid-19 Maps infect PCs to steal private data
As the Covid-19 outbreak escalated within days, more and more organizations have come up with digital map applications to keep track of new cases and their locations.
A researcher at Reason Labs found that hackers have been targeting this vital information source, by quickly building fake sites that prompt you to download a program to view the map dashboard. The program doesn’t need to be installed but appears to show a legitimate real-time map of the coronavirus spread.
In fact, it is a mere facade for hackers to create and install a malicious binary file onto your system, which is then used to steal passwords, user names, credit card details and other browser-based details.
The infected program uses the AZORult hacking program which not only extracts your data (such as passwords and cryptocurrency info) but also infects it with other malware. It can even create a secret administrator account on your computer to remotely steal information.
Shai Alfasi, the Reason Labs researcher who discovered the threat, also reported that:
“It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more. It can also download additional malware onto infected machines. AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. “
We advise readers to be careful when installing Coronavirus maps. Do research on the developer and seek online reviews first.
Threat 4: Kpot Infostealer extracts passwords and private keys
While the ransomware hasn’t been effective in receiving much in Bitcoin payments, BleepingComputer posits that it’s being used as a ruse to allow the real threat, the Kpot Infostealer installs itself and extracts users private information like passwords and cryptocurrency private keys.
It is advised that any user whose device has been compromised by either the Coronavirus ransomware or Kpot malware need to immediately access a secure other computer and change their private information such as user names and passwords.
Threat 5: Coronavirus Email Phishing
“Trickbot” malware fools 10% of Italian organizations
Check Point also revealed that in Italy, currently ground zero for the pandemic and under national lockdown, a sinister malware-carrying mass email attack allegedly had a success rate of infiltrating nearly 10% of Italian organizations.
The email claimed to be a warning from the WHO’s Italian director and prompted readers to open a fake, malware-infected Word.doc attachment(translated):
Subject: Coronavirus: Important information about precautions
Due to the number of cases of coronavirus infection that have been documented in your area, the World Health Organization has prepared a document that includes all the necessary precautions against coronavirus infection.
We strongly recommend that you read the document attached to this message.
With best regards,
Dr. Penelope Marchetti (World Health Organization – Italy)
Once clicked, readers would be directed to a fake Word loading screen that would ask for permission to enable editing and content. Once this was granted, the malware would install the Ostap Trojan-downloader, which is a form of Trickbot malware.
Trickbot malware is a powerful banking trojan virus that is frequently updated and very flexible in how it is distributed and attacks its victims’ devices, such as turning off Windows Defender for starters.
In another sophisticated email phishing campaign, an email supposedly from Mongolia’s Ministry of Foreign Affairs that warned about the rapid coronavirus infection rates in China
Threat 6: Trojan Virus RAT infection via email
According to ThreatPost, a recently uncovered an advanced persistent threat (APT) group, whose “Vicious Panda” email spear-phishing campaign exploited Mongolian public officials desperate to find coronavirus-related information.
The emails pretended to be from the Mongolian Ministry of Foreign Affairs and claimed to contain information about the prevalence of new coronavirus infections.
Researchers discovered that the hackers used two Rich Text Format (RTF) attachments to trick recipients into installing a remote-access-trojan (RAT) which can take screenshots, download files, create directory lists and more.
Coronavirus Scams: Use these tips to avoid them
The Financial Conduct Authority (FCA), the UK’s appointed virtual asset regulator, published a security guidance on 11 March that warned its citizens against coronavirus-related scams and financial threats.
In their statement, the FCA said:
“Watch out for scams related to coronavirus (COVID-19) …These scams take many forms and could be about insurance policies, pensions transfers or high-return investment opportunities, including investments in crypto assets.”
Here are 5 tips to avoid becoming a coronavirus scam victim, according to the FCA:
- Don’t give out any personal details, such as your address, bank account and existing financial details
- Reject out-of-the-blue proposals that come unannounced
- Beware of social media and sponsored or paid-for adverts
- Don’t get rushed or pressured into a decision
- If existing providers call you unannounced, call them back to make sure they’re legitimate
Criminals and bad actors are always looking to exploit noteworthy events or trends in order to relieve users from their money or cryptocurrencies, or even more nefariously, to install malicious malware that gives them surreptitious control and monitoring of individual and corporate users’ computers. They thrive in chaos where users often throw common sense out the window when panic, fear or greed strikes.
While readers already have enough on their plates dealing with the Covid-19 pandemic, the security of your private data and funds shouldn’t be another headache.
Avoid sensationalist websites and applications and follow the FCA’s tips above. Ensure your device is up to date with the latest anti-virus software and retain a certain amount of cynicism when dealing with unsolicited emails or online offers.
Stay safe out there in both your physical and digital worlds folks.