<\/p>\n\n\n\n
Criminals always take advantage of major events in phishing campaigns. The COVID-19 outbreak has become the reason for fear and uncertainty in all spheres, so it has become an ideal disguise for attacks. Phishing has increased a lot due to the Coronavirus. And threat authors spread malware to steal personal information using various options.
<\/p>\n\n\n\n
Based on the ANY.RUN\u2019s submissions, we can report that there are different kinds of phishing decoys that malware uses. Thanks to the service\u2019s interactivity we could detect various malicious programs that were hiding behind these examples:
<\/p>\n\n\n\n
- Advertisements for Coronavirus services and products <\/strong><\/li><\/ul>\n\n\n\n
Facemasks, medical supplies, special offers – these advertisements make users fall for the clickbait. But these actions can lead to information extraction from the victim\u2019s computer system, its infection, and collecting credit card data.
<\/p>\n\n\n\n<\/figure>\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/12\/2-2.png\")
<\/figure>\n\n\n\nIf you like you can check out the tasks with the smell test sample<\/a> and the temperature screening example<\/a>. <\/p>\n\n\n\n
The dark web also contributes to the corona sale: cybercriminals sell malware and exploitation tools using COVID-19 codes and discounts. Hackers are offered to buy phishing email kits, Facebook account hacking tools, or malware-as-a-service.
<\/p>\n\n\n\n- Coronavirus-Related Maps<\/strong><\/li><\/ul>\n\n\n\n
Threat actors create different attachments and websites that display a map representing Coronavirus spread.<\/strong> It offers users to click or download an application to stay informed of everything that happens. The map generates a malicious binary file and infects targets\u2019 computers.
<\/p>\n\n\n\nIn this case, criminals may use AZORult malware <\/a>to steal users\u2019 browsing history, cookies, IDs, passwords as well as install other malware.<\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
The map task<\/a> is available for your research, don’t forget to have a look! <\/p>\n\n\n\n
- Vaccine<\/strong> <\/li><\/ul>\n\n\n\n
Promises of a vaccine are actively used in phishing. Drug companies developing vaccines as well as common users become targets of malicious attacks.
<\/p>\n\n\n\n- Coronavirus News Stories<\/strong><\/li><\/ul>\n\n\n\n
The Coronavirus latest updates<\/strong> are a very popular topic in spam and malicious emails. They pretend to be the Ministry of Health newsletters or others. It can provide recommendations<\/strong> on how to avoid infection in an attachment but instead of advice, you get malware.<\/p>\n\n\n\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
Try out the statistics example<\/a> and the updates example <\/a>by yourself.
<\/p>\n\n\n\n- Coronavirus funds and payments, job listings<\/strong><\/li><\/ul>\n\n\n\n
Cybercriminals send emails faking reliable and official organizations like the Federal Trade Commission, with information about the virus and special funds, that can provide some financial help. <\/strong>Hundreds of people found themselves unemployed because of the pandemic. And it drives them to click on opening malicious emails with job possibilities or payment offers and forms. However, embedded links and attachments are most likely to lead to the infection by malware. <\/p>\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/12\/6.png\")
<\/figure>\n\n\n\nWould you like to trace the fund sample <\/a>and find out what malware this decoy contains? Just go ahead and do it!
<\/p>\n\n\n\n- School updates<\/strong><\/li><\/ul>\n\n\n\n
Instead of faking information on the virus, threat actors leverage school updates and job listings related to the topic. For example, many schools require the health information of students as part of their safety protocols. In October, the University of British Columbia staff suffered from ransomware while completing a phony health survey.
<\/p>\n\n\n\nFile extensions types of COVID-19 decoys<\/strong>
<\/p>\n\n\n\nCrooks lure people into taking risky actions by various phishing decoys. And victims buy for them without a second thought about the consequences, because all baits look valid. Everything is applied: from malicious documents to web pages that save files with the \u201cCoronavirus\u201d name in the system.
<\/p>\n\n\n\nFirst of all, it\u2019s worth mentioning the file names<\/strong> that trigger users the most: <\/p>\n\n\n\n
- Name list for funds or payments<\/li>
- Donation proposal<\/li>
- COVID-19 update\/situation report\/news summary<\/li>
- General information on Coronavirus disease<\/li>
- Coronavirus Checklist\/guidelines for employees and organizations<\/li>
- COVID-19 Measures <\/li>
- Test form\/application<\/li><\/ul>\n\n\n\n
Here are the most common file extensions with examples. And don\u2019t forget that you can investigate all the tasks mentioned by yourself.
<\/p>\n\n\n\n\u2013 PDF
<\/strong><\/p>\n\n\n\nThe PDF task<\/a>‘s file is supposed to contain hospital information on the virus, but the link leads to stealing a password.
<\/p>\n\n\n\n<\/figure>\n\n\n\n
<\/p>\n\n\n\n
\u2013 documents
<\/strong><\/p>\n\n\n\nFor example, the document sample<\/a> offers coronavirus-related tax relief measures and a Netwire as a bonus.<\/p>\n\n\n\n
<\/figure>\n\n\n\n
\u2013 sites
<\/strong><\/p>\n\n\n\nEvery day 1,767 high-risk Coronavirus-themed domain names are created. There are more than 5 billion pages related to the topic on the Internet. Have a look at one of them in the site task<\/a>.
<\/p>\n\n\n\n<\/figure>\n\n\n\n
\u2013 EXE
<\/strong><\/p>\n\n\n\nThe following file from the EXE sample<\/a> is a live tracker, that attacks the network and has several malicious connections.<\/p>\n\n\n\n
<\/figure>\n\n\n\n
<\/p>\n\n\n\n
\u2013 archives
<\/strong><\/p>\n\n\n\nMalicious connections and a detected Network trojan come as a surprise in this archive example<\/a>. We bet, this opposite of what you\u2019re hoping to unpack. <\/p>\n\n\n\n
<\/figure>\n\n\n\n
These tempting decoys are spread and used widely. But what\u2019s waiting for the victim if they can\u2019t resist a clickbait? Let\u2019s talk about the top malware that hackers prefer during the Coronavirus outbreak.
<\/p>\n\n\n\nMalware used during the pandemic<\/strong>
<\/p>\n\n\n\nMalware writers exploit all kinds of malware and tactics masking behind the virus and benefiting from it. There is no unified structure that criminals follow and all sectors are at risk.
<\/p>\n\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/12\/Frame-609-1.png\")
<\/figure>\n\n\n\nIn the figure above you can see the statistics of threats by uploads with the Covid-19 theme for the December 2019 to December 2020 period. There are 13192<\/strong> virus-themed samples from the public submissions<\/a> that we analyzed. Of course, not every sample with the COVID-19 tag is malicious. But 6052<\/strong> tasks appeared to contain malware or do any other harmful activities.
<\/p>\n\n\n\nAnd there are some notable results of our analytics: <\/strong>
<\/p>\n\n\n\nAgent Tesla, Emotet, Lokibot, Nanocore, and Netwalker are the top 5 malware <\/strong>capitalizing on the virus. Here are the reasons why they\u2019ve become so successful.<\/p>\n\n\n\n
1. Agent Tesla<\/a><\/p>\n\n\n\nThe spyware is very affordable for attackers, about $15-70. Authors of the malware are ready to help criminals who have even no technical background with support, customizable options, and expanded functionality. Moreover, it has good evasion techniques.<\/p>\n\n\n\n
2. Emotet<\/a><\/p>\n\n\n\n
A sophisticated malware that developed from a standard Trojan to the polymorphic distributor of other malicious programs. Emotet is extremely hard to clean up. In addition, it can evade sandboxes, change its code, receive updates, and adapt to different attacks.
<\/p>\n\n\n\n3. Lokibot<\/a><\/p>\n\n\n\n
Criminals who use Lokibot in their attacks are able to install additional malicious software. Besides, it contains a keylogging feature.
<\/p>\n\n\n\n4. Nanocore<\/a> <\/p>\n\n\n\n
This accessible RAT is very easy to use and has a big range of configurations for attackers\u2019 needs.
<\/p>\n\n\n\n5. Netwalker<\/a><\/p>\n\n\n\n
The notable Netware feature is that it’s written in PowerShell so it executes directly in memory and without storing the actual ransomware binary into the disk. This makes the ransomware a real challenge to detect.
<\/p>\n\n\n\nThe usage of the malware above is constantly increasing. And it\u2019s no surprise, as they have such an environment to thrive in. Let\u2019s have a closer look at the most popular malware types, their features, and tactics to be aware of how they usually act.
<\/p>\n\n\n\nPopular malware types<\/strong>
<\/p>\n\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/12\/Frame-611-1-1.png\")
<\/figure>\n\n\n\nHere are the most popular malware types that are on the rise during the pandemic according to the ANY.RUN\u2019s uploads:
<\/p>\n\n\n\n1. Trojan<\/strong><\/p>\n\n\n\n
Trojan malware is designed to take over your machine.<\/strong> It is capable of damaging, disrupting, stealing, or other harmful actions with data or networks.
<\/p>\n\n\n\n2. Loader<\/strong><\/p>\n\n\n\n
These viruses\u2019 main goal is to install other malware on the infected system. Basically, this type drops an infected payload. However, they can steal data or be engaged in spying.
<\/p>\n\n\n\n3. RAT<\/strong><\/p>\n\n\n\n
With Remote Access Trojan a victim doesn\u2019t even know that their computer is monitored and controlled. The remote access gives attackers the possibility to control infected machines completely and anonymously.
<\/p>\n\n\n\n4. Stealer<\/strong><\/p>\n\n\n\n
As you know, an information stealer gets into an infected device and collects your personal information to send it to criminals.
<\/p>\n\n\n\n5. Ransomware<\/strong><\/p>\n\n\n\n
Some of the \u201cteams\u201d behind ransomware such as Netwalker besides encrypting data and demanding a ransom to restore it, use the double-extortion ransomware. It threatens t<\/strong>o publish or sell the enciphered data if there is no payment.
<\/p>\n\n\n\nAccording to the latest research, the number of ransomware attacks is estimated at 199.7 million cases<\/strong> in the 3d quarter of 2020 globally. Considering that the US only suffered from 145.2 million ransomware hits, which is a 139% year-over-year increase compared to the previous year.
<\/p>\n\n\n\nRemote<\/strong> work<\/strong>
<\/p>\n\n\n\nCOVID-19 forced organizations to get adapted to remote work very quickly. There is no corporate perimeter now, where companies used to organize everything centrally. Working remotely requires profound security improvements. You should also get ready that remote work isn\u2019t going anywhere in 2021.
<\/p>\n\n\n\nAnd every employee needs to contribute to avoid any data exposure<\/strong> and securely navigate their work tools. Being aware of possible threats and getting to know even basic precautions can help to prevent damage. So, staff education should be one of the main concerns, especially taking into account social engineering schemes in attacks. You should also know how to work remotely in the cybersecurity sphere<\/a> and the way to structure your work from home.
<\/p>\n\n\n\nHow can ANY.RUN help?<\/strong>
<\/p>\n\n\n\nThe more and more types of malware use the decoys connected to COVID-19. And in ANY.RUN<\/a>, we try to help users get through scams, bring malware to light, and not fall for its tricks.
<\/p>\n\n\n\nHere are several perks you can use to avoid pandemic related threats:
<\/p>\n\n\n\n
- School updates<\/strong><\/li><\/ul>\n\n\n\n
- Coronavirus funds and payments, job listings<\/strong><\/li><\/ul>\n\n\n\n
- Coronavirus News Stories<\/strong><\/li><\/ul>\n\n\n\n
- Vaccine<\/strong> <\/li><\/ul>\n\n\n\n
- Coronavirus-Related Maps<\/strong><\/li><\/ul>\n\n\n\n