Trying Times: Coronavirus (COVID-19) Resources

Normally we try to allow our personalities shine through our posts, but we are living in abnormal times. The coronavirus (COVID-19) is a pandemic and is affecting everyone and everything.  As if worrying about whether or not you will live or die isn’t enough, criminals began capitalizing on the worry and confusion surrounding this threat very quickly.

You never want a serious crisis to go to waste

This quote from Rahm Emanuel holds true for those looking to make changes for the greater good just as it does for cybercriminals who hope to steal money and data.  We have been tracking the use of the coronavirus lure since its beginning. We first saw signs that this may be used when the Emotet botnet repurposed a single Japanese language email that contained references to COVID. While it was not necessarily intended to exploit the pandemic threat, it did bring it to our attention as well as a number of Japanese speakers working in cybersecurity. 

A screenshot of a cell phone

Description automatically generated

The beginning of January was dominated by the return of Emotet and its close friends, Trickbot and Ryuk.  While Emotet was making the headlines, crafty actors began to realize that they may be able to gain some market share by shifting from the normal invoice themes.  One of our first examples of an intentional use of COVID as a lure was back on Jan 31st with a sender of cdc-gov[.]org.  This example leveraged a popular service to host a credential phishing page.

A picture containing screenshot

Description automatically generated

 Since that time, an explosion of templates has occurred. You can see a selection of those here: https://cofense.com/solutions/topic/coronavirus-infocenter/

We’d like to point out some open source resources for our readers to look at to help defend against this growing threat to their remote workers:

https://github.com/CofenseLabs/Coronavirus-Phishing-Yara-Rules

https://github.com/MishcondeReya/Covid-19-CTI

https://blacklist.cyberthreatcoalition.org/

https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs

https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/RANSOM_coronavirus.yar

https://github.com/merkleID/covid-domains

We wish you all the best and hope that you stay safe, both in the real world and on the wire.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.