Unscrupulous marketers and cyber-criminals have seized upon concerns over the emergence of the COVID-19 global pandemic as bait for spam, phishing attacks and malware. In recent weeks, the use of “coronavirus” and “COVID-19” in domain names, potentially unwanted email messages, and phishing and malware delivery schemes has skyrocketed. As of April 14, Sophos has identified over 1,700 malicious domains using “corona” or “covid” in their names, of which 1,200 are currently active.[Update, May 21: Our malicious COVID-19 related domain count is now up to 1,885. The rate of new COVID-19 related domains and subdomain creation has slowed, but is still at about 700 per week based on SSL certificate transparency log data—not counting domains without certificates.]
We’re continuing to work to identify, detect and block these threats. We’re also engaging with the security community to help defend more broadly against the surge in COVID-19 related threats. Joshua Saxe, Sophos’ chief scientist, has launched a Slack channel for open collaboration on taking on pandemic-themed threats. [Update, April 20: The Slack channel now has over 3,400 members from security firms, as well as private and government organizations.]
We’re also publishing indicators of compromise we discover for related threats in a public GitHub. In this report, we’ll examine some of the trends we’re seeing in pandemic-themed spam and scams. The data we present here is just a portion of what we’ve seen so far, and we continue to assess intelligence data as it becomes available.
The surge of spam
The spam we found to be carrying an installer for Trickbot malware earlier this month was just one example of how spammers and criminals are using hunger for information about the pandemic to lure in their targets.
While COVID-19 emerged as a crisis in China in December, references to the virus in spam and phishing emails only really began to emerge in January—and like the virus itself, they grew exponentially. By early March, COVID-19 and Coronavirus already represented a significant percentage of the spam traffic we measured.
Spam campaigns detected by Sophos included:
- A sextortion scheme threatening to infect the target’s family with COVID-19 if they didn’t pay.
- A scam purporting to be a fundraising plea from the World Health Organization, asking for donations in Bitcoin to fund COVID-19 research.
- Messages purportedly from WHO, but carrying documents with dropper malware.
- Marketing for “emergency supplies,” including filter masks.
- A sales pitch for a $37 video download, purporting to offer insider information from a “military source” on how to survive Coronavirus
- [Update, March 27) We’re continuing to see new COVID-19 related extortion scams. Here’s another we’ve detected and blocked:
Building spamming and phishing infrastructure
COVID-19 has left a huge mark on the Internet’s namespace over the past two months. Certificate transparency log data from the major certificate authorities has shown a significant rise in the number of SSL certificates registered for sites using “corona” or “covid” in their names.
To get a sense of how big that change has been, we looked at log data over the past six months for new certificates issued for hostnames with “corona” or “covid-19” in them. To establish a baseline from before the outbreak became global news, we looked at the same period a year ago (September 2018 to March 2019) for comparison.
Before January, most certificates that contained “corona” referred to a locality, service or legitimate brand name. These accounted for an average of 288 certificates activated per month. References to “covid” did not exist in any certificate registrations we could find record of prior to 2020, and the only domain that really stands out belongs to Arizona-based A/V accessory manufacturer COVID, which owns the .com domain.
The pandemic changed the equation. Starting in January of 2020, there was an exponential rise in new certificates carrying these terms, nearly doubling from the norm to 558 for that month, and then nearly doubling again in February to 868. In the first two-thirds of March, over 6,086 new certificates bearing host names with “covid” and “corona” were issued—nearly a 20-time increase over the year before.
Over 65% of these new domains were programmatically registered for free through Let’s Encrypt, and another 5% used Cloudflare as a Certificate Authority (Cloudflare provides free SSL for sites that use its content delivery network).
By no means are all of these malicious, but many are suspicious—particularly since they include an abundance of sites that were bulk-configured using site templates, domains configured through low-cost registrars or subdomains configured on potentially compromised domains.
One host serving as home for a number of “covid-19” related web addresses—associated with a service that offers free websites and low cost domain name registration—had 11,322 domain names associated with it. Those domains appear to have been programmatically created and registered for certificates, as they follow the same naming pattern {covid-19[additional search keyword].com).
The raw number of domain names we’ve observed being registered that are related to the COVID-19 pandemic is even larger. On March 20, the peak day (so far), people registered 3011 new domains that contained the text “covid” or “corona,” in the four largest top-level domains (TLDs) we monitor (.com, .us. .org, and .info). Since February 8, we’ve observed 42,578 (as of midnight, March 24) newly-registered covid or corona domain names.
While some of these domains may have been registered for benign or even beneficial purposes, many are simply parked, while others are displaying basic, mostly empty website content as placeholders for some promised future content. Part of the collaboration on the Slack channels and with our partners at the Cyber Threat Alliance involves sorting out the useful and legitimate sites that may have been registered by legitimate health authorities from the dark humor, spammy, or actively malicious ones. It’s hard to know the intent of a domain registrant when there’s no content in—just for one weird example, there’s coronavirusshaquilleoneal[.]com.
Sophos has identified over 60 domains as actively malicious, though some of those domains have gone dark since we first detected them. The following specific sites have been linked to malware downloads, and are potential network indicators of compromise, but they are likely just the tip of the iceberg as far as malicious domains go:
corona-masr21.com netflixcovid19s.com chasecovid19v.com chasecovid19t.com chasecovid19s.com corona-masr2.com chase7-covid.com masry-corona51.com corona-virusapps.com coronavirus-realtime.com covid-19-gov.claims corona-virus-map.net corona-map-data.com coronavirus-apps.com childcarecorona.com impots-covid19.com corona-apps.com coronaviruscovid19-information.com coronations.usa.cc
[Update, March 27] One domain we’ve investigated, covid19hacks[.]com, is acting as a redirector gateway to a series of deceptive and potentially malicious download sites, including fake software update pages:
These pages are the end of a trail of forwarding HTTPS pages, on domains including:
covid19hacks.com yourbig-prizenow2.life mobile-app-market-here1.life best.prizedea2040.info
[Update, 4/08]
One of the most prevalent scams related to COVID-19 are sites offering supplies or medicine to prevent or fight infections. Several are picking up on the promotion by some of Hydroxycloroquine and Azithromycin as drugs to help fight COVID-19 infections.
.Some of these sites forward to overseas pharmaceutical sites or to web stores offering filter masks; others have skeletal WordPress installations that appear to be placeholders for future phishing or spam sites. One offers a $9 book on how to create a “do-it-yourself vaccine” for coronavirus.
curecorona.co zithromaxcovid19.com jesse.hydroxychloroquinecovid-19cure.com www.hydroxychloroquine-coronavirus.com coronacurethon.org diyvaccinecurecoronavirus.com covidrx.ca covidizerx.pl corona-vaccine-info.com corona-virus-vaccine.com
Others we’ve found are simply registered and parked, in the hope of selling them as part of the coronavirus “gold rush.”
The following sites were registered and park through reg.ru, a Russian domain registry, and may be potential pharmacy scam sites in the future:
covid-pharma.net covid-pharma.net covid-pharma.net covid-pharma.org covid-pharma.ru
Malware abusing anxiety over COVID
We’ve identified multiple malware families and potentially unwanted applications thus far communicating with COVID-19 related domains in some way. There are also ransomware that reference coronavirus in the ransom notes.
[Update, May 20] Recently, we detected a malware campaign leveraging COVID-19 fears associated with a group we’ve labeled RATicate. This attack uses an attachment disguised as information on the pandemic, but instead is a malware installer.
Three different versions of the DownloadGuide adware PUA were detected connecting to domains containing “COVID” or “Corona”. These may have been advertisements pushed to the adware randomly.
Additionally, a group of malicious files used the web host coronavirusstatus[.]space to host payloads or as a C2 server. They include:
- An AutoIT dropper script, which we identify as Troj/AutoIt-CYW.
- Corona.exe and isoburn.exe, both of which which we identify as Troj/PWS-CJJ and Troj/Steal-JZ.
- Corona-virus-Map.com.exe (which we identify as Troj/MSIL-NZP).
- The file aut6C13.tmp (which we identify as Troj/PWS-CJJ malware).
In addition to communicating with the host, this malware group also connects to the Telegram encrypted communications API server.
SHA256 | Name/Filename |
b326dd2cf05788cc2c0922e1553b98e6631c67b1cf7ec55228fa6f6db10e2249 | DownloaderGuide |
b326dd2cf05788cc2c0922e1553b98e6631c67b1cf7ec55228fa6f6db10e2249 | |
796b4f9e36b280fb1fae0c55ef184e4fb44906966f258e421ff0721705fafb0f | |
2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307 | T Troj/AutoIt-CYW, Troj/MSIL-NZP / Corona-virus- Map.com.exe |
13c0165703482dd521e1c1185838a6a12ed5e980e7951a130444cf2feed1102e | Troj/PWS-CJJ, Troj/Steal-JZ / corona.exe |
fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8 | Troj/PWS-CJJ / isoburn.exe |
0b3e7faa3ad28853bb2b2ef188b310a67663a96544076cd71c32ac088f9af74d | Troj/Steal-KA / aut6C13.tmp |
These and additional IOCs will be added to our GitHub repository.
And it was inevitable that someone would eventually create a ransomware and call it Coronavirus.
Acknowledgments
SophosLabs wishes to acknowledge the efforts of Richard Cohen, Brett Cove, Krisztián Diriczi, Fraser Howard, Tamás Kocsír, and Chet Wisniewski to track down various threats, and the efforts of the Cyber Threat Alliance and the community of threat researchers on the COVID-19 Cyber Threat Coalition Slack channel for sharing a wide range of attack data with the wider community of security researchers and SOC analysts.
Leave a Reply