As the Covid-19 pandemic goes into full swing, we see increasing numbers of hackers and nation-state actors trying to exploit the global fears for their own gains, spreading malicious software through a slew of outlets supposedly offering information about the coronavirus.
Cybercrooks have seized the social engineering opportunity that the novel Covid-19 has presented, as more and more people around the world are trying to find information about the disease. Security researchers have come across government documents, health fact sheets, and tracking maps in numerous languages that were laced with different types of malicious software.
The hotbed of the Covid-19 infection in Europe, Italy, has been targeted by spearphishing campaigns in which Microsoft Word documents that supposedly contained information about the prevention of the spread of the disease were found to contain a new variant of the Trickbot banking trojan.
According to security researchers at FireEye, well-known Russian hacking groups have set their aim on Ukraine, while a South Korean nongovernmental organization was targeted by North Korean threat actors. Chinese hackers are also reported to have targeted several countries in East Asia with malware-laced documents containing official statistics about the Coronavirus infection.
Apart from targeted hacking campaigns, threat actors have also set up numerous websites, offering maps that monitor the spread of the disease worldwide. Unlike legitimate websites that provide the same information, the fake ones usually prompt users to download an application for staying updated on the global spread of Covid-19. As experts warn, this application doesn't even need to be installed to infect a users' computer with malware.
In a blog post by Shai Alfasi, a security researcher at Reason Labs, explained that the threat actors leveraging the fake coronavirus maps are using the AZORult malware to infect users' computers, stating:
"The new malware activates a strain of malicious software known as AZORult. AZORult is an information stealer and was first discovered in 2016. It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more. It can also download additional malware onto infected machines. AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer."
The fact that many government officials around the world have also been infected with the Covid-19 virus has given threat actors an opportunity to take aim at two prime target groups - people looking for answers in a time of crisis and officials that may have access to sensitive information.
Among the more sophisticated campaigns, security researchers have come across a group of Chinese hackers that they dubbed Vicious Panda. Researchers at Israeli-based technology company Check Point have called the Vicious Panda hacking group an "advanced persistent threat," a categorization reserved for well-organized and technically adept attackers that often work for a nation-state.
According to a report issued by security researchers at Check Point, Vicious Panda has used a fake document that purportedly contained coronavirus infection information from the Mongolian Health Ministry to lure users into sharing sensitive personal data.
Lotem Finkelstein, head of intelligence at Check Point has stated in a news release that "Covid-19 is presenting not only a physical threat by a cyber threat as well.", adding "All public sector entities and [telecommunications companies] everywhere should be extra wary of documents and websites themed around Coronavirus."
Reports have also indicated that out of the four thousand domains related to the coronavirus that have recently been registered, around 3% contain malicious software.