Threat Research

Facing down the myriad threats tied to COVID-19

EDITOR'S NOTE: This is an ongoing, live report and will be updated continuously with new information as it becomes available. The report was originally published on March 24.

 

Unscrupulous marketers and cyber-criminals have seized upon concerns over the emergence of the COVID-19 global pandemic as bait for spam, phishing attacks and malware. In recent weeks, the use of “coronavirus” and “COVID-19” in domain names, potentially unwanted email messages, and phishing and malware delivery schemes has skyrocketed. As of April 14, Sophos has identified over 1,700 malicious domains using “corona” or “covid” in their names, of which 1,200 are currently active.[Update, May 21: Our malicious COVID-19 related domain count is now up to 1,885. The rate of new COVID-19 related domains and subdomain creation has slowed, but is still at about 700 per week based on SSL certificate transparency log data—not counting domains without certificates.]

We’re continuing to work to identify, detect and block these threats. We’re also engaging with the security community to help defend more broadly against the surge in COVID-19 related threats. Joshua Saxe, Sophos’ chief scientist, has launched a Slack channel for open collaboration on taking on pandemic-themed threats. [Update, April 20: The Slack channel now has over 3,400 members from security firms, as well as private and government organizations.]

We’re also publishing indicators of compromise we discover for related threats in a public GitHub. In this report, we’ll examine some of the trends we’re seeing in pandemic-themed spam and scams. The data we present here is just a portion of what we’ve seen so far, and we continue to assess intelligence data as it becomes available.

The surge of spam

The spam we found to be carrying an installer for Trickbot malware earlier this month was just one example of how spammers and criminals are using hunger for information about the pandemic to lure in their targets.

While COVID-19 emerged as a crisis in China in December, references to the virus in spam and phishing emails only really began to emerge in January—and like the virus itself, they grew exponentially. By early March, COVID-19 and Coronavirus already represented a significant percentage of the spam traffic we measured.

Spam campaigns detected by Sophos included:

  • A sextortion scheme threatening to infect the target’s family with COVID-19 if they didn’t pay.
  • A scam purporting to be a fundraising plea from the World Health Organization, asking for donations in Bitcoin to fund COVID-19 research.
  • Messages purportedly from WHO, but carrying documents with dropper malware.
  • Marketing for “emergency supplies,” including filter masks.
  • A sales pitch for a $37 video download, purporting to offer insider information from a “military source” on how to survive Coronavirus
  • [Update, March 27) We’re continuing to see new COVID-19 related extortion scams. Here’s another we’ve detected and blocked:COVID-19 extortion spam

Building spamming and phishing infrastructure

COVID-19 has left a huge mark on the Internet’s namespace over the past two months. Certificate transparency log data from the major certificate authorities has shown a significant rise in the number of SSL certificates registered for sites using “corona” or “covid” in their names.

To get a sense of how big that change has been, we looked at  log data over the past six months for new certificates issued for hostnames with “corona” or “covid-19” in them. To establish a baseline from before the outbreak became global news, we looked at the same period a year ago (September 2018 to March 2019) for comparison.

Before January, most certificates that contained “corona” referred to a locality, service or legitimate brand name. These accounted for an average of 288 certificates activated per month.  References to “covid” did not exist in any certificate registrations we could find record of prior to 2020, and the only domain that really stands out belongs to Arizona-based A/V accessory manufacturer COVID, which owns the .com domain.

A typical site registering a certificate with “corona” in its URL in 2018.

The pandemic changed the equation. Starting in January of 2020, there was an exponential rise in new certificates carrying these terms, nearly doubling from the norm to 558 for that month, and then nearly doubling again in February to 868. In the first two-thirds of March, over  6,086 new  certificates bearing host names with “covid” and “corona” were issued—nearly a 20-time increase over the year before.

 

Over 65% of these new domains were programmatically registered for free through Let’s Encrypt, and another 5% used Cloudflare as a Certificate Authority (Cloudflare provides free SSL for sites that use its content delivery network).

By no means are all of these malicious, but many are suspicious—particularly since they include an abundance of sites that were bulk-configured using site templates, domains configured through low-cost registrars or subdomains configured on potentially compromised domains.

One host serving as home for a number of “covid-19” related web addresses—associated with a service that offers free websites and low cost domain name registration—had 11,322 domain names associated with it. Those domains appear to have been programmatically created and registered for certificates, as they follow the same naming pattern {covid-19[additional search keyword].com).

The raw number of domain names we’ve observed being registered that are related to the COVID-19 pandemic is even larger. On March 20, the peak day (so far), people registered 3011 new domains that contained the text “covid” or “corona,” in the four largest top-level domains (TLDs) we monitor (.com, .us. .org, and .info). Since February 8, we’ve observed 42,578 (as of midnight, March 24) newly-registered covid or corona domain names.

While some of these domains may have been registered for benign or even beneficial purposes, many are simply parked, while others are displaying basic, mostly empty website content as placeholders for some promised future content. Part of the collaboration on the Slack channels and with our partners at the Cyber Threat Alliance involves sorting out the useful and legitimate sites that may have been registered by legitimate health authorities from the dark humor, spammy, or actively malicious ones. It’s hard to know the intent of a domain registrant when there’s no content in—just for one weird example, there’s coronavirusshaquilleoneal[.]com.

Sophos has identified over 60 domains as actively malicious, though some of those domains have gone dark since we first detected them. The following specific sites have been linked to malware downloads, and are potential network indicators of compromise, but they are likely just the tip of the iceberg as far as malicious domains go:

corona-masr21.com
netflixcovid19s.com
chasecovid19v.com
chasecovid19t.com
chasecovid19s.com
corona-masr2.com
chase7-covid.com
masry-corona51.com
corona-virusapps.com
coronavirus-realtime.com
covid-19-gov.claims
corona-virus-map.net
corona-map-data.com
coronavirus-apps.com
childcarecorona.com
impots-covid19.com
corona-apps.com
coronaviruscovid19-information.com
coronations.usa.cc

[Update, March 27] One domain we’ve investigated, covid19hacks[.]com, is acting as a redirector gateway to a series of deceptive and potentially malicious download sites, including fake software update pages:

fake adobe flash update pageThese pages are the end of a trail of forwarding HTTPS pages, on domains including:

covid19hacks.com
yourbig-prizenow2.life
mobile-app-market-here1.life
best.prizedea2040.info

[Update, 4/08]

One of the most prevalent scams related to COVID-19 are sites offering supplies or medicine to prevent or fight infections.  Several are picking up on the promotion by some of Hydroxycloroquine and Azithromycin as drugs to help fight COVID-19 infections.

.Some of these sites forward to overseas pharmaceutical sites or to web stores offering filter masks; others have skeletal WordPress installations that appear to be placeholders for future phishing or spam sites. One offers a $9 book on how to create a “do-it-yourself vaccine” for coronavirus.

curecorona.co
zithromaxcovid19.com
jesse.hydroxychloroquinecovid-19cure.com
www.hydroxychloroquine-coronavirus.com
coronacurethon.org 
diyvaccinecurecoronavirus.com
covidrx.ca
covidizerx.pl
corona-vaccine-info.com
corona-virus-vaccine.com

Others we’ve found are simply registered and parked, in the hope of selling them as part of the coronavirus “gold rush.”

The following sites were registered and park through reg.ru, a Russian domain registry, and may be potential pharmacy scam sites in the future:

covid-pharma.net
covid-pharma.net 
covid-pharma.net 
covid-pharma.org
covid-pharma.ru

Malware abusing anxiety over COVID

We’ve identified multiple malware families and potentially unwanted applications thus far communicating with COVID-19 related domains in some way. There are also ransomware that reference coronavirus in the ransom notes.

[Update, May 20] Recently, we detected a malware campaign leveraging COVID-19 fears associated with a group we’ve labeled RATicate. This attack uses an attachment disguised as information on the pandemic, but instead is a malware installer.

Three different versions of the DownloadGuide adware PUA  were detected connecting to domains containing “COVID” or “Corona”. These may have been advertisements pushed to the adware randomly.

Additionally, a group of malicious files used the web host coronavirusstatus[.]space to host payloads or as a C2 server. They include:

  • An AutoIT dropper script, which we identify as Troj/AutoIt-CYW.
  • Corona.exe  and isoburn.exe, both of which which we identify as Troj/PWS-CJJ and Troj/Steal-JZ.
  • Corona-virus-Map.com.exe (which we identify as Troj/MSIL-NZP).
  • The file aut6C13.tmp (which we identify as Troj/PWS-CJJ malware).

In addition to communicating with the host, this malware group also connects to the Telegram encrypted communications API server.

SHA256 Name/Filename
b326dd2cf05788cc2c0922e1553b98e6631c67b1cf7ec55228fa6f6db10e2249 DownloaderGuide
b326dd2cf05788cc2c0922e1553b98e6631c67b1cf7ec55228fa6f6db10e2249
796b4f9e36b280fb1fae0c55ef184e4fb44906966f258e421ff0721705fafb0f
2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307 T Troj/AutoIt-CYW, Troj/MSIL-NZP /  Corona-virus- Map.com.exe
13c0165703482dd521e1c1185838a6a12ed5e980e7951a130444cf2feed1102e Troj/PWS-CJJ, Troj/Steal-JZ  / corona.exe
fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8 Troj/PWS-CJJ / isoburn.exe
0b3e7faa3ad28853bb2b2ef188b310a67663a96544076cd71c32ac088f9af74d Troj/Steal-KA / aut6C13.tmp

 

These and additional IOCs will be added to our GitHub repository.

And it was inevitable that someone would eventually create a ransomware and call it Coronavirus.

Acknowledgments

SophosLabs wishes to acknowledge the efforts of Richard Cohen, Brett Cove, Krisztián Diriczi, Fraser Howard, Tamás Kocsír, and Chet Wisniewski to track down various threats, and the efforts of the Cyber Threat Alliance and the community of threat researchers on the COVID-19 Cyber Threat Coalition Slack channel for sharing a wide range of attack data with the wider community of security researchers and SOC analysts.