COVID-19 AZORult Phishing & Social Media Attacks
I. Targeted Industries
- Higher Education
- Financial Services
II. Excutive Summary
The COVID-19 panic is being exploited to spread malware to many industries. Preventative measures must be implemented to mitigate attacks.
The primary types of malware being spread are Infostealers and Remote Access Trojans (RATs), which can compromise system security by providing threat actors confidential information including PII.
AZORult is an Infostealer that was first distributed in 2016. It has returned with phony COVID-19 maps that are circulated via phishing emails and social media. The map shows data aggregated from internet sites on its GUI and simultaneously collects data, searches for cryptocurrency wallets, and collects usernames and passwords.(1)
Organizations should be concerned with:
- Phishing attempts against people looking for more information about the virus with Infostealers.
- Fake COVID-19 maps. (1)(2)
- Company employees being sent safety procedures surrounding the virus or a list of companies currently with COVID-19 infections with Infostealers or RATs attached. (2)
- Provide employees notifications regarding phishing scam prevention and a list of trusted sites for information regarding COVID-19. Suggested site for distribution: https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams
- Employees should be instructed to only visit sites that are approved. Such as the cert.gov site mentioned above.
- Organization information security teams should blacklist domains, emails, and IPs associated with COVID-19 scams. IOCs are included in the accompanying file.
- For remote employees, USCERT is offering telework guidance. This information can be shared with employees. https://www.cisa.gov/coronavirus
- Continue to proactively patch and update environments with the latest software patches and security configurations, specifically VPNs, network infrastructure devices, and devices being used to remote into work environments. Antivirus software should be updated as well.
IV. Background Information
COVID-19 cyber-attacks started in January 2020, exploiting the panic and disarray to distribute malware and steal information.
The lack of cybersecurity education among the general public and the increasing need to be informed make those researching COVID-19 quick and easy targets.
Threat actors, including espionage groups from China, North Korea, and Russia, are using COVID-19 phishing campaigns to spread malware. Industries with a high focus on international trading are being attacked with phishing emails regarding the status of trade.
Starting in February, employees received phishing emails, and records show fake COVID-19 maps early in the panic. Phishing attempts for the general public have increased since the beginning of March. (3)
V. Indicators of Compromise (IOCs)
Some email systems block files. You can visit the link below to download the identified IOCs.
(1) “COVID-19, Info Stealer & the Map of Threats – Threat Analysis Report.” (2020, March 17). Reason CyberSecurity. https://blog.reasonsecurity.com/2020/03/09/COVID-19-info-stealer-the-map-of-threats-threat-analysis-report/
(2) Developing Story: Coronavirus Used in Malicious Campaigns. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains
(3) Forbes. https://www.forbes.com/sites/thomasbrewster/2020/03/12/coronavirus-scam-alert-watch-out-for-these-risky-covid-19-websites-and-emails/#18332b561099
Holmes, A. (2020, March 12). “Hackers are using these fake coronavirus maps to give people malware.” Business Insider. https://www.businessinsider.com/hackers-are-using-fake-coronavirus-maps-to-give-people-malware-2020-3
“Threat Actors Capitalize on Global Concern About Coronavirus in New Phishing Campaigns.” (2020, March 17). Cofense. https://cofense.com/threat-actors-capitalize-global-concern-coronavirus-new-phishing-campaigns/
This content is made available by the Florida Center for Cybersecurity for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/or cybersecurity professional with the sufficient expertise necessary to address your organization’s specific needs. Use of this site does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.