The NanoBot threat appears to be a new iteration of the well-known NanoCore RAT (Remote Access Trojan). According to reports, the operators of the NanoBot malware are using the fear and uncertainty around the Coronavirus (also known as COVID-19) pandemic that has grasped the hearts and minds of users worldwide. It comes as no surprise that cyber crooks are not afraid of stooping low and using such dirty tricks to propagate malware as these are individuals who do not bat an eye when breaking the law.
However, it would appear that the operators of the NanoBot Trojan are not targeting regular users. Instead, the campaign that utilizes the NanoBot threat seems to be going after high-profile targets – large organizations, government institutions, etc. The targets would receive an email, which claims to contain important information regarding the Coronavirus outbreak. It is likely that the fake message would be masked as a legitimate email originating from a trustworthy and well-known government body. This makes it far more probable for the target to fall for the trickery of the attackers.
With the pandemic continuing, cybercriminals have taken to using news related to coronavirus to deliver malware, launch phishing attacks, and defraud people by using the panic over coronavirus against them. These kinds of threats are easier to spread when people are worried about how the virus is spreading and what is being done to combat it. Now is the time to strike for these threat actors.
The latest data shows that these coronavirus-related threats are exploding. There were almost five times as many (475%) such attacks during March compared to February. There's no telling what the final tally will be for April, given that we're barely a week into the month.
The spate of new attacks was likely aimed at countries that are seeing more coronavirus infections. The attacks work to manipulate the fears of people in these countries.
As officials continue to struggle to come up with proper procedures over quarantines and cures, threat actors are mobilizing quickly. Threat actors entice their victims by offering the latest information about new cases and protection procedures.
A total of 1,448 malicious attacks were reported in February compared to the 8,319 reported for March. Cyber attacks related to coronavirus appear to spread as quickly as the real-life disease itself.
The most common targets for the attacks are governments, hospitality, retail, education, research, and transportation sectors. It might seem odd to target some of these sectors, but they do make sense; these sectors all deal with large groups of people interacting with each other. People in these groups are going to want to know the latest information on how to protect themselves against infection.
This line of thinking appears in the methodology behind the attacks. The threat actors send emails disguised as emails from official sources such as the World Health Organization and NATO. The emails target people who are hoping to get information from official sources. The victims are more likely to believe the email is genuine if they think it comes from an official source like this.
The education ministries, health ministries and departments, and the emergency services are the most commonly targeted government organizations.
For the healthcare sector, the most common targets were hospitals, pharmacies, and medical equipment distributors. These targets were sent false information about procedures they should take, drugs that allegedly help prevent infections and treat COVID-19, and medical equipment for sale.
Fake email used to target Thai companies
The image above depicts a fake email targeting Thailand's healthcare services. The title of the email, when translated, reads "Fwd: Re: CoronaVirus Express Information." The File attached to the email, which no doubt contains a virus, is called "Ministry of Public Health Corona Virus Information Urgent 2020.gz". The email promises that the attachment includes exclusive information for medical staff. Take a look at the email, and you'll see it even uses the official logo of the Thailand Establishment of National Institute of Health to appear more legitimate.
In every tainted document released to the public, the filenames all have some kind of coronavirus theme. All the emails promise to contain information about the outbreak the reader won't find anywhere else.
For example, the most popular attack patterns involve claiming the attached File is a PDF file when it is an executable or .bat file. Using a double-extension like this is a common way to trick users. If a user has "hide file extensions" enabled in their File Explorer settings, they won't know that the File is a different type than the email says. The files from the emails all contain malware that, once executed, deploys all manner of threats, including NanoBot.
The trojans used in the attacks steal information from computers. The viruses look for usernames and passwords that the threat actors will apply for financial gains. Hackers can also use these credentials to access accounts and services used by their victims.
Targeting Coronavirus-Infected Countries
Malicious attacks related to coronavirus have taken off as the virus itself has. Things have been moving fast since January. Back in January, only a handful of countries, such as China and the United States, were reporting malicious attacks related to the virus. These reports are now coming in from across the world, with every country in Europe hit with coronavirus-related attacks.
The rise in attacks seen in March included attacks on Italy, France, Turkey, Germany, Spain, Canada, Thailand, and the United States. The one thing these countries have in common is they have seen a considerable number of coronavirus cases and have been deeply affected by the outbreak. This increase in infections is likely what prompted the threat actors to focus their malware attacks on those regions.
As if it wasn't bad enough that these countries are facing the real-life threat of coronavirus, threat actors continue to exploit the panic, confusion, and misinformation around the virus to spread their scams and infections. Threat actors are playing off of people's fears and exploiting them for personal gain as surely as any other virus profiteer.
What You Need to Know
As countries continue to struggle to stop the spread of coronavirus, the average citizen is no doubt look for all the help and information they can find. People are turning to the internet for their information. The problem with doing this is that there's often no guarantee the information comes from a reliable source.
There's a lot of malware out there, and cybercriminals aren't afraid to use any means at their disposal to trick you into downloading it. No one wants to have to deal with virtual viruses while they contend with a real-life one.
Much like with real-life viruses, though, some good computer hygiene can help to protect you and your computer. Protecting yourself also means protecting people around you as your computer won't be used to infect others. Make sure that emails come from a reliable and trusted source and don't open any attachments unless you are sure that it is safe to do. It's recommended that you install antivirus software that scans attachments for you. You've got enough to worry about with keeping yourself and your family safe; you don't want to have to deal with digital threats too.