How Cybercriminals Use Panic to Defraud and Infect Organizations

By on

Click to learn more about author David Balaban

The dreadful coronavirus is taking the world by storm, and humanity is on the threshold of serious changes over the pandemic officially declared on March 11, 2020. Also referred to as COVID-19 or the 2019 Novel Coronavirus (2019-nCoV), this strain is now running rampant across different parts of the globe. At the time of this publication, the total number of reported coronavirus deaths was over 200,000, so it comes as no surprise that the disease instills fear in people regardless of their residence.

It’s common knowledge that malicious actors follow the headlines and never miss hype trains. This time, they piggyback on the “infodemic” to orchestrate massive online scams and spread malware, demonstrating once again that the margin between the real world and the cyber world is a slim one. This article will give you information on cybercrime implications of the COVID-19 outbreak and methods to safeguard the digital life of your organization against the escalating e-threat.

Coronavirus-Themed Phishing on the Rise

Malefactors are increasingly cashing in on the panic to execute social engineering scams whose goal is to wheedle out sensitive information or money. To set these hoaxes in motion, crooks send numerous emails impersonating reputable healthcare organizations and requesting sensitive credentials or a donation to fund research and treatment of those infected. The most massive phishing campaigns revolving around the COVID-19 theme are as follows.

The “Safety Measures” Email Fraud

While trying to stay tuned for the latest updates about this unnerving disease subject, people run the risk of being ambushed in an ongoing scam wave. Cybercrooks have been busy sending bogus emails disguised as an official advisory from the World Health Organization (WHO) since early February 2020.

The lure is an embedded button saying “Safety Measures,” which supposedly leads to a file listing the entirety of up-to-date coronavirus precautions. Instead of triggering the purported download, though, the button forwards the recipient to a fabricated email verification form asking for their username and password.

A clever trick that plays into the fraudsters’ hands is that the “Verify Your Email” pop-up seems to be displayed on top of the legitimate WHO website. However, the genuine page is actually rendered within a frame constituting the malicious landing site. Once the unsuspecting user enters and submits their credentials, this information instantly goes to the felons, and the browser is redirected to, the real web page of the World Health Organization.

Fortunately, several giveaways may help a vigilant user identify the scam. First of all, the criminals don’t take proofreading seriously, and therefore, the email body is full of spelling errors and awkward typos. Secondly, the WHO page replica is an HTTP site rather than HTTPS, which is a red flag many people will notice. Despite the imperfections, this hoax is still up and running.

Alert from the CDC? Not Really

In another move, threat actors are sending phony emails impersonating the U.S. Centers for Disease Control and Prevention (CDC). These messages claim to notify the recipients about new contamination reports in their area as part of a recently established incident management system.

This way, the scammers try to hoodwink users into clicking a bait link that purportedly leads to an “updated list of new cases” around their city. The resulting page is a phishing site that harvests the targets’ sensitive credentials. Unlike the above-mentioned fake WHO advisory scam, the email looks competently tailored and may be based on real CDC press release templates. Additionally, its subject has a stronger element of pressure and urgency, making it more likely that people follow the fake hyperlink and give away their personal info.

Fear as a Source of Malware Distribution

Cybercriminals’ efforts to exploit the coronavirus theme aren’t restricted to phishing. The delivery of malware payloads is one more vector of their shenanigans. In the wake of the current crisis, users may lose vigilance, and it’s easier for crooks to dupe them into opening booby-trapped email attachments or downloading malicious files from sketchy resources. Here is a summary of notorious campaigns using the panic as leverage for spreading harmful code.

Remcos RAT Gets a Propagation Boost

The remote access tool (RAT), dubbed Remcos, originally surfaced in August 2019. It had mostly remained on the sidelines of the cybercrime ecosystem until its operators added the coronavirus theme to their distribution repertoire.

In late February 2020, analysts at Cybaze-Yoroi ZLab security firm came across a Remcos RAT payload camouflaged as an executable file named CoronaVirusSafetyMeasures_pdf.exe. This object was submitted to their malware sandbox service, and it’s unclear how exactly it reaches victims at this point. The researchers believe the threat most likely arrives over email.

The role of the above-mentioned file is to drop the Remcos executable onto a computer along with a VBScript item that launches the RAT. To gain a firm foothold in the host system, the infection adds the “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” registry key to make sure it is triggered at boot time.

When running, Remcos RAT keeps tabs on the victim’s keystrokes and saves this information to the “logs.dat” file created in “%AppData%\Local\Temp\onedriv” path. All the data amassed in the course of this reconnaissance is sent to the criminals’ command-and-control server.

The Opportunistic Spike in Emotet Malware Circulation

The notorious info-stealing Trojan called Emotet is at the core of a coronavirus-themed spam campaign that broke out in late January 2020. It zeroes in on Japanese users via deceptive emails warning the recipients about infection cases in different regions of the country, including the Osaka, Gifu, and Tottori prefectures.

According to experts at IBM X-Force Threat Intelligence, who unearthed this hoax, the fake messages are masqueraded as alerts issued by local healthcare centers. The text written in Japanese says new patients were reported in the would-be victim’s area. To learn the details, the user is instructed to open the Word document attached to this email.

However, this file won’t display any content until the target clicks on a prompt to enable macros. This is a well-known malware deployment trick involving a VBA macro that covertly fires up a PowerShell command to download a harmful program (Emotet in this scenario).

Lokibot Trojan Authors Jump on the Bandwagon

Another infamous info-stealer known as Lokibot follows in the footsteps of Emotet, capitalizing on the 2019-nCoV scare to make the rounds on a large scale. To deposit the malicious payload onto as many computers as possible, the threat actors are sending rogue emails disguised as an emergency regulation ordinance issued by the Ministry of Health of the People’s Republic of China.

Interestingly, the email includes the phrase “for the safety of your industry,” which is a clue suggesting that the campaign may primarily target businesses. The recipient is instructed to unpack the RAR archive attached to the message and then open the enclosed batch file named “Emergency Regulation.” This completes the infection chain, and Lokibot starts collecting the victim’s passwords along with other sensitive data. When done, it submits the stolen information to a C2 server.

FormBook Malware Operators Follow Suit

The FormBook info-stealer is the latest addition to the series of digital threats whose distributors don’t mind taking advantage of COVID-19 fears. Security analysts have recently stumbled upon bogus emails claiming to provide the “latest updates on coronavirus disease outbreak” on behalf of the World Health Organization.

These messages include a ZIP attachment containing a malicious binary named MyHealth.exe. This object turns out to be a relatively new malware downloader known as GuLoader. When triggered, it downloads a copy of FormBook from Google Drive cloud storage. To make sure that the second-stage payload slips below the radar of antivirus software, GuLoader injects the malicious process into wininit.exe, the legitimate Windows application launcher. The resulting malware is capable of logging the victim’s keystrokes, stealing clipboard information, and monitoring data related to web surfing sessions.

Pharma Spam Skyrockets

Fake online drug stores are rapidly gaining momentum amidst the global healthcare crisis. To lure people into visiting dubious pharmacy sites, criminals are employing several old school techniques that work well due to the hype around the terrifying respiratory illness.

According to the findings of researchers at cybersecurity company Imperva, the dominant vector boils down to comment spamming. This technique engages automated bots or scripts that inject malicious links into regular user comments on various websites. These URLs lead to counterfeit online pharmacies.

Not only can this method encourage some site visitors to click on the shady links, but it is also an element of a clever SEO strategy. A slew of trending coronavirus-related keywords sprinkled across these web pages might make them rank higher in search results, which potentially means more leads to the bogus sites selling worthless drugs.

In some scenarios, the links in malicious comments point to some neutral web pages providing general medical information or a real-time map that reflects the propagation of the disease. These ostensibly benign sites end up redirecting visitors to dubious pharma businesses.

How to Avoid Scams

Unfortunately, cybercriminals treat the widely publicized coronavirus threat as an opportunity to steal users’ sensitive information and promote malware. Therefore, if you receive an email claiming to be from the World Health Organization (WHO) or a local healthcare institution, think twice before clicking on a link in it or opening the attached file. If the message tries to pressure you into accessing some web page or downloading a file urgently, this can be a telltale sign of a scam.

Here is a round-up of the recommendations on this matter from the U.S. Federal Trade Commission (FTC):

  • Don’t click on links from unknown sources.
  • Treat emails claiming to be from the Centers for Disease Control and Prevention (CDC) with caution. To get the latest information about the coronavirus, visit the official CDC or WHO website instead.
  • Don’t fall for ads offering vaccinations.
  • Refrain from making donations in cash, via a wire transfer, or by gift card, especially if someone sends you an email asking for it.
  • Exercise caution with questionable investment opportunities marketed on social media and through other online channels. This tip is particularly relevant if a product or service is purported to prevent or cure COVID-19.

As an extra layer of defense against malware distribution campaigns relying on the coronavirus panic, be sure to use reliable security software that can detect suspicious payloads and block them before they cause harm.

Leave a Reply