Cyber Threat Actors Capitalize on Coronavirus

More social engineering campaigns have been publicized this week in which various cyber threat actors capitalize on the global concern over the novel coronavirus, COVID-19. Email and social media-based phishing scams referencing the virus attempt to convince recipients to open links or attachments to direct users to malicious websites or deliver malware, reveal sensitive information, or donate to fraudulent causes. Check Point researchers found that coronavirus-themed domains are 50 percent more likely to be malicious than other domains; over 4,000 coronavirus-related domains have been registered since January 2020. A malicious website purporting to be the live map for COVID-19 global cases run by Johns Hopkins University is circulating. This website infects site visitors with the information-stealing AZORult trojan. Researchers believe the website is being spread via infected email attachments, malvertisements, and social engineering. Over the last two weeks, malicious coronavirus-themed emails attempting to be delivered to State of New Jersey employees aimed to install malware or potentially unwanted programs (PUPs), or direct users to websites to steal user credentials. One phishing campaign included an .iso attachment that, when executed, delivers the GuLoader downloader, which downloads the LokiBot trojan. 

The NJCCIC recommends users remain vigilant and exercise caution with coronavirus-themed emails, posts, and links, ensuring to only use trusted sources – such as official government websites – for information on COVID-19. More information is provided in the CISA publication, “Defending Against COVID-19 Cyber Scams” and CISA Insights document “Risk Management for Novel Coronavirus (COVID-19).”