The rapid spread of the novel coronavirus around the world has emerged as an opportunity to exploit for a certain group of people: cyber criminals. Shai Alfasi, a cybersecurity researcher working for New York-based Reason Security, discovered and analyzed malware masked as a “coronavirus map” that is used to steal sensitive data from victims’ web browsers via emails.
Around 95 percent of coronavirus-themed malware delivery is by email, according to Alfasi, who responded to a number of questions for NOVO Gazette.
“The malware steals all information that is saved in the browser, which includes bank credentials, credit cards and everything that is saved there. It also accesses your Bitcoin wallet if you have one and extracts information from the operating system,” Alfasi explained.
Aside from “coronavirus maps,” there are emails going around that impersonate an insurance company telling users they are offering coronavirus coverage, Alfasi told NOVO Gazette. “However, what actually happens with this email is that attackers try to steal personal information such as ID, first name, last name and more,” he said.
“Another good example that we’ve seen lately is emails that impersonate the WHO (World Health Organization) and suggest that users download files that look like they are related to WHO, but are actually malware that operate in the background.”
The stolen information in such attacks mostly ends up being sold online (on the deep web) or used for gaining access to bank accounts or social media.
Mobile phones, especially Android devices, are the primary target of this new campaign, and new malicious apps appear every day that exploit the fear of the coronavirus pandemic in order to infect more phones, Alfasi said. He added that websites are also a problem, but you will most likely be safe unless you download any files on your device.
“We keep seeing new malicious websites every day, but getting hacked by just visiting a website is extremely rare since the attackers need to find a zero day vulnerability in the browser in order to allow remote code execution. These kinds of exploits are military grade and you won’t see them in public.”
Could Russia Or Another Government Be Behind The Attacks?
The malware Alfasi found is part of the family of a type known as “AZORult” that used to be sold on Russian underground forums. We asked him whether it had the sophistication level of a government-sponsored attack and what country the campaign could be coming from.
“AZORult originated from Russia, but it’s sophistication level is not military or government grade. That said, we don’t know exactly who is behind it, but we can say that it hit the USA the hardest,” he replied.
In order to keep your devices safe, Alfasi advises internet users to avoid downloading any files, since most of the information is available online and there is no need for it.
“It’s also very important to have an antivirus product. A good antivirus will prevent 95 percent of the different types of malware. Most of the malware we see is known malware that has been slightly changed in order to evade antivirus software and spread, but the skeleton code and operation is the same,” he says.
“And the last recommendation is to regularly update your operating system. A lot of malware rely on operating system vulnerabilities to operate, so once you make sure you run security updates, you remove the vulnerabilities and minimize risk.”
Alfasi additionally urges everyone to follow his company’s Twitter account @ReasonCSecurity to stay updated on the latest threats and risks, saying they provide simple, easy-to-understand alerts on new threats.
**All rights reserved. Using quotes from this story requires crediting them to NOVO Gazette and adding a link to this page.
