Cybercriminals Exploit Coronavirus Spread with Malware, Phishing Schemes

With constant coverage and updates about the spread of the coronavirus it is no wonder we are seeing cybercriminals attempt to capitalize on this upsetting situation. Attempts to utilize public fear and interest should not come as a surprise. Almost every recent major event has been exploited by cybercriminals, from political and military events to Cyber Monday, from tragedies to celebrities.

In recent weeks IntSights researchers have witnessed multiple cybercrime offerings and attacks themed around the novel coronavirus called COVID-19. One such example is a Russian underground vendor offering a malware that looks like the Johns Hopkins coronavirus map – which pulls real-time data from the legitimate site – and installs the AZORult info stealer. AZORult is a malware that first surfaced in 2016 and has since been updated and upgraded to include more advanced functions such as RDP and serve a downloader to other malware such as ransomware. Multiple researchers have reported that prevalent malware such as Emotet and Ramnit download AZORult.

One Japanese researcher published Emotet’s use of the coronavirus scare as an infection method back in January.

Some phishing campaigns are created to infect computers with malware, others to obtain username and password information, and some go directly for transactions – for example, claiming to be an invoice for face masks or masquerading as the WHO (World Health Organizations) and the CDC (Center for Disease Control).

While the FTC released a warning about potential coronavirus scams, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released an advisory about infrastructure and workforce related security guidelines and tips, which are critical for organizations to implement. While many of these guidelines also apply during regular times it is important to keep in mind that with significant shifts to a remote workforce model, employees become more susceptible to attacks. Workers who decide to use their private computers at home to conduct work related activities, users who are not accustomed to always use a VPN, and employees who have privileged access to internal resources are all prime targets.

It is times like these where people, processes and technology are all tested – and not just enterprises and cybercrime victims. Threat actors are also feeling the detrimental impact of the novel coronavirus outbreak and economic fallout.

On March 9, 2020, the World Health Organization reported over 110,000 cases of COVID-19 globally, which has led to 3,800 deaths. Oil prices plunged as Saudi Arabia launched a price war with Russia. That same day, global stock markets crashed in reaction to investor fears. All three major indexes recorded one of the largest loss percentages in history. When the closing bell rang, the Dow Jones registered a 7.79 percent drop, a record loss. The Nasdaq Composite and S&P 500 also reported heavy losses – 7.29 percent and 7.6 percent, respectively.

That same day, cryptocurrency markets lost over $26 billion, with Bitcoin, the world’s biggest cryptocurrency losing 10 percent in one day. Other digital coins, including Ethereum, XRP, and BitcoinCash logged double digit losses.

What does this loss mean for threat actors that rely primarily on digital currencies for their livelihood and business? Based on underground chatter in criminal forums, IntSights researchers predict two outcomes: A temporary slowdown in the trade of criminal goods and services – including stolen credit cards and credentials – and an increase in the purchase of cryptocurrencies while costs are low.

Increased investment into digital coin is likely to happen in more stable regions of the world where criminals have invested into local currencies and physical goods. Poorer regions of the world will experience significantly greater instability and slowdown in cybercrime because threat actors have less invested into regional currencies. Latin America is a prime example of a region that will likely experience a temporary slowdown.

The recent IntSights report The Dark Side of Latin America describes how countries like Argentina and Venezuela, which rely heavily on the relative stability of cryptocurrencies due to their regional economic turmoil, is suffering temporary losses. This trend will subside as the markets recover, but will remain volatile until novel coronavirus infections and deaths are slowed and an antiviral drug is released to the public.

For more on the unique cybersecurity challenges posed by the coronavirus pandemic, download our report, The Cyber Threat Impact of COVID-19 to Global Business.

Download Your Copy

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.