Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide

Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide

Primary Logo - Insikt - Digital (RGB).png
Click here to download the complete analysis as a PDF.

Recorded Future investigated how threat actors are using the global disruptions caused by COVID-19 to further their cyber threat activities. This research is targeted toward those who hope to understand the technical cybersecurity threats that have emerged from the spread of COVID-19.

Executive Summary

The emergence of coronavirus disease 2019 (COVID-19), the novel coronavirus that originated in late December 2019, has brought with it chaos in many different economic sectors — finance, manufacturing, and healthcare, to name a few. However, it has also originated a new cybersecurity threat, igniting a bevy of COVID-19-themed phishing lures and newly registered COVID-19-related domains. The technical threat surrounding COVID-19 primarily appears to be around phishing, with actors promising that attachments contain information about COVID-19.

Recorded Future observed an extensive list of actors and malware employing these techniques, including Trickbot, Lokibot, and Agent Tesla, targeting a broad set of victims, including those in the United States, Italy, Ukraine, and Iran in particular. Threat actors have also endeavored to gain the trust of victims using branding associated with the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO), as well as country-specific health agencies such as the Public Health Center of the Ministry of Health of Ukraine and China’s Ministry of Health, and companies such as FedEx.

Key Findings

coronavirus-panic-exploit-1-1.png

Graph showing the registrations of COVID-19-related domains per day in 2020. Recorded Future analysts created a query to find domain registrations of URLs containing “corona,” “covid19,” or “covid2019.” Download the appendix for a list of these domains.

Background

According to the World Health Organization, the current coronavirus, known as Coronavirus Disease 2019 (COVID-19), was first reported from Wuhan, China on December 31, 2019. COVID-19 is a viral, respiratory disease that has spread throughout the world, causing fear and panic as the outbreak progresses.

To date, over 100,000 people have been infected across the world, and over 4,000 have died. Cybercriminals and threat actors have begun to take advantage of the notoriety of the virus and the uncertainty and fear associated with it, deploying phishing campaigns that use COVID-19 as a lure to get victims to download malware or give away personal information.

Analysis

To understand the use of COVID-19 by cybercriminals and threat actors, Recorded Future correlated the number of domains created associated with “coronavirus” in 2020 with the number of references to cyberattacks or exploits involving “coronavirus” or “COVID-19.”

Cyberattacks Using COVID-19

Over the last two months, Recorded Future has observed an increase in the number of instances involving COVID-19 used as an attack vector in any cyber incident, as shown in the timeline below:

coronavirus-panic-exploit-2-1.png

Number of references to coronavirus or COVID-19 used in association with a cyber exploit or cyberattack over the past two months.

Beginning in late January 2020, the volume of data increases, with larger spikes occurring as the number of COVID-19 infections increased through the month of February. While Recorded Future has observed COVID-19 being used as part of different types of cyber incidents, it has been primarily used as a phishing lure. Using a Recorded Future query, Recorded Future identified incidents of the malicious use of COVID-19 over the last month. Where possible, we provide IOCs for these campaigns in the appendix. The following incidents were identified:

Coronavirus has also been weaponized as a way to spread spyware by the Iranian government. Iran’s Health Ministry sent a message to victims advising them to download a specific application to monitor for potential symptoms of COVID-19. This application was, in reality, spyware. The malicious Android application, called ac19.apk, is capable of gathering victim location services and monitoring a user’s physical activity (such as walking or sitting) — ostensibly to determine where the user is going and when. The application is distributed on a website created by the Iranian government, https://ac19[.]ir/.

Domain Registrations

Beginning in on January 12, the number of domain registrations started to increase, with an additional large spike on February 12, as shown in the first image, which aligns with the increase in the number of references seen in the previous image. This spike coincides with the largest single-day spike in the number of COVID-19 cases, as seen in the chart below:

coronavirus-panic-exploit-3-1.png

Graph showing number of COVID-19 cases per day over time.

Recorded Future analysts cannot confidently establish the domain registrations in mid-February as the effect of the increase in cases during that time period. However, we assess that this correlative relationship possibly indicates that cybercriminals and other threat actors increasingly observe the relevance of the outbreak as a targeting mechanism.

Outlook

Recorded Future observed cybercriminals and other threat actors employing references to COVID-19 primarily in phishing attacks designed to obtain victims’ personal information or to drop additional malware. Because these attacks prey on the fears of victims and often use a sense of urgency to get the victim to click, organizations should take the following precautions: