New Europol report on latest developments of COVID-19 on the criminal landscape in the EU

During this unprecedented crisis, governments across Europe are intensifying their efforts to combat the global spread of the coronavirus by enacting various measures to support public health systems, safeguard the economy and to ensure public order and safety.

A number of these measures have a significant impact on the serious and organised crime landscape. Criminals have been quick to seize opportunities to exploit the crisis by adapting their modi operandi or engaging in new criminal activities. Factors that prompt changes in crime and terrorism include:

• High demand for certain goods, protective gear and pharmaceutical products;

• Decreased mobility and flow of people across and into the EU;

• Citizens remain at home and are increasingly teleworking, relying on digital solutions;

• Limitations to public life will make some criminal activities less visible and displace them to home or online settings;

• Increased anxiety and fear that may create vulnerability to exploitation;

• Decreased supply of certain illicit goods in the EU.

Building upon information provided by EU Member States and in-house expertise, Europol has published today a situational report analysing the current developments which fall into four main crime areas:

CYBERCRIME

The number of cyberattacks against organisations and individuals is significant and is expected to increase. Criminals have used the COVID-19 crisis to carry out social engineering attacks themed around the pandemic to distribute various malware packages. 

Cybercriminals are also likely to seek to exploit an increasing number of attack vectors as a greater number of employers institute telework and allow connections to their organisations’ systems.

Example: The Czech Republic reported a cyberattack on Brno University Hospital which forced the hospital to shut down its entire IT network, postpone urgent surgical interventions and re-route new acute patients to a nearby hospital.

FRAUD

Fraudsters have been very quick to adapt well-known fraud schemes to capitalise on the anxieties and fears of victims throughout the crisis. These include various types of adapted versions of telephone fraud schemes, supply scams and decontamination scams. A large number of new or adapted fraud schemes can be expected to emerge over the coming weeks are fraudsters will attempt to capitalise further on the anxieties of people across Europe. 

Example: An investigation supported by Europol focuses on the transfer of €6.6 million by a company to a company in Singapore in order to purchase alcohol gels and FFP3/2 masks. The goods were never received.

COUNTERFEIT AND SUBSTANDARD GOODS

The sale of counterfeit healthcare and sanitary products as well as personal protective equipment and counterfeit pharmaceutical products has increased manifold since the outbreak of the crisis. There is a risk that counterfeiters will use shortages in the supply of some goods to increasingly provide counterfeit alternatives both on- and offline.

Example: Between 3-10 March 2020, over 34 000 counterfeit surgical masks were seized by law enforcement authorities worldwide as part of Operation PANGEA supported by Europol. 

ORGANISED PROPERTY CRIME

Various types of schemes involving thefts \have been adapted by criminals to exploit the current situation. This includes the well-known scams involving the impersonation of representatives of public authorities. Commercial premises and medical facilities are expected to be increasingly targeted for organised burglaries.

Despite the introduction of further quarantine measures throughout Europe, the crime threat remains dynamic and new or adapted types of criminal activities will continue to emerge during the crisis and in its aftermath.

Example: Multiple EU Member States have reported on a similar modus operandi for theft. The perpetrators gain access to private homes by impersonating medical staff providing information material or hygiene products or conducting a "Corona test". 

Europol’s Executive Director Catherine De Bolle said: “While many people are committed to fighting this crisis and helping victims, there are also criminals  who have been quick to seize the opportunities to exploit the crisis.  This is unacceptable: such criminal activities during a public health crisis are particularly threatening and can carry real risks to human lives.  That is why it is relevant more than ever to reinforce the fight against crime. Europol and its law enforcement partners are working closely together to ensure the health and safety of all citizens”.

The European Commissioner for Home Affairs Ylva Johansson said: “I welcome this new Europol report on latest developments of COVID-19 on the criminal landscape in the EU. The EU and Member States are stepping up efforts to keep people safe: National authorities and EU Agencies like Europol and ENISA are providing valuable input into how we can tackle this challenge together. I am determined to ensure that the Commission does all in its power to support law enforcement in the face of this new threat.”

Coronavirus used as bait by phishers

Several cyber security researchers have uncovered a surge in the number of phishing emails using the coronavirus as a lure.

Cyber criminals have been exploiting the pandemic to steal money or sensitive information through phishing campaigns in several countries.

By creating fake websites and emails masquerading as legitimate, attackers have been able to infect victims with malware.

Unfortunately, cyber criminals are opportunistic and can often look to exploit current events and public concerns. See the NCSC’s suspicious email advice to learn more about spotting and dealing with phishing emails.

Global network of bots brought down

Cyber security teams from across 35 countries, including Microsoft, have dismantled one of the world’s largest network of bots.

The network, called Necurs, is believed to have infected more than nine million computers worldwide.

A botnet is a network of infected devices, connected to the Internet, used to commit coordinated cyber attacks without their owner's knowledge.

Cyber criminals can use botnets to remotely take over internet-connected devices and install malicious software. This malware can then be used to send spam, collect information on users, and delete information without the owner’s knowledge.

In a blog, Tom Burt, vice-president for customer security and trust at Microsoft, said the takedown was the result of eight years planning.

Malware is malicious software, which can cause harm to computers. The NCSC has published guidance for private and public sector organisations on how to mitigate against malware, as well as what to do if you become infected.

BBC article on top 5 coronavirus email scams designed to steal identity and money

BBC coronavirus article read now

Cybercriminals will stop at nothing to exploit every chance to prey on internet users.

Even the disastrous spread of SARS-COV-II (the virus), which causes COVID-19 (the disease), is becoming an opportunity for them to likewise spread malware or launch cyber attacks.

Reason Cybersecurity recently released a threat analysis report detailing a new attack that takes advantage of internet users' increased craving for information about the novel coronavirus that is wreaking havoc worldwide.

The malware attack specifically aims to target those who are looking for cartographic presentations of the spread of COVID-19 on the Internet, and trickes them to download and run a malicious application that, on its front-end, shows a map loaded from a legit online source but in the background compromises the computer.

New Threat With An Old Malware Component

The latest threat, designed to steal information from unwitting victims, was first spotted by MalwareHunterTeam last week and has now been analyzed by Shai Alfasi, a cybersecurity researcher at Reason Labs.

It involves a malware identified as AZORult, an information-stealing malicious software discovered in 2016. AZORult malware collects information stored in web browsers, particularly cookies, browsing histories, user IDs, passwords, and even cryptocurrency keys.

With these data drawn from browsers, it is possible for cybercriminals to steal credit card numbers, login credentials, and various other sensitive information.

AZORult is reportedly discussed in Russian underground forums as a tool for gathering sensitive data from computers. It comes with a variant that is capable of generating a hidden administrator account in infected computers to enable connections via the remote desktop protocol (RDP).

Sample Analysis

Alfasi provides technical details upon studying the malware, which is embedded in the file, usually named as Corona-virus-Map.com.exe. It's a small Win32 EXE file with a payload size of only around 3.26 MB.

Double-clicking the file opens a window that shows various information about the spread of COVID-19. The centerpiece is a "map of infections" similar to the one hosted by Johns Hopkins University, a legitimate online source to visualize and track reported coronavirus cases in the real-time.

Numbers of confirmed cases in different countries are presented on the left side while stats on deaths and recoveries are on the right. The window appears to be interactive, with tabs for various other related information and links to sources.

It presents a convincing GUI not many would suspect to be harmful. The information presented is not an amalgamation of random data, instead is actual COVID-19 information pooled from the Johns Hopkins website.

To be noted, the original coronavirus map hosted online by Johns Hopkins University or ArcGIS is not infect or backdoored in any way and are safe to visit.

The malicious software utilizes some layers of packing along with a multi-sub-process technique infused to make it challenging for researchers to detect and analyze. Additionally, it employs a task scheduler so it can continue operating.

Signs of Infection

Executing the Corona-virus-Map.com.exe results in the creation of duplicates of the Corona-virus-Map.com.exe file and multiple Corona.exe, Bin.exe, Build.exe, and Windows.Globalization.Fontgroups.exe files.

Additionally, the malware modifies a handful of registers under ZoneMap and LanguageList. Several mutexes are also created.

Execution of the malware activates the following processes: Bin.exe, Windows.Globalization.Fontgroups.exe, and Corona-virus-Map.com.exe. These attempt to connect to several URLs.

These processes and URLs are only a sample of what the attack entails. There are many other files generated and processes initiated. They create various network communication activities as malware tries to gather different kinds of information.

How the Attack Steals Information

Alfasi presented a detailed account of how he dissected the malware in a blog post on the Reason Security blog. One highlight detail is his analysis of the Bin.exe process with Ollydbg. Accordingly, the process wrote some dynamic link libraries (DLL). The DLL "nss3.dll" caught his attention as it is something he was acquainted with from different actors.

Alfasi observed a static loading of APIs associated with nss3.dll. These APIs appeared to facilitate the decryption of saved passwords as well as the generation of output data.

This is a common approach used by data thieves. Relatively simple, it only captures the login data from the infected web browser and moves it to the C:\Windows\Temp folder. It's one of the hallmarks of an AZORult attack, wherein the malware extracts data, generates a unique ID of the infected computer, applies XOR encryption, then initiates C2 communication.

The malware makes specific calls in an attempt to steal login data from common online accounts such as Telegram and Steam.

To emphasize, malware execution is the only step needed for it to proceed with its information-stealing processes. Victims don't need to interact with the window or input sensitive information therein.

Cleaning and Prevention

The key to removing and stopping the opportunistic "coronavirus map" malware is to have the right malware protection system. It will be challenging to detect it manually, let alone remove the infection without the right software tool.

It may not be enough to be cautious in downloading and running files from the internet, as many tend to be overeager in accessing information about the novel coronavirus nowadays.

The pandemic level dispersion of COVID-19 merits utmost caution not only offline (to avoid contracting the disease) but also online. Cyber attackers are exploiting the popularity of coronavirus-related resources on the web, and many will likely fall prey to the attacks.

Published by The Hacker News March 11, 2020 written by Wang Wei

https://thehackernews.com/2020/03/coronavirus-maps-covid-19.html

On February 14, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released six (6) new Malware Analysis Reports (MARs) and one (1) updated MAR related to malicious cyber activity from North Korea. Each MAR is designed to enable network defenders to identify and reduce exposure to North Korean government malicious cyber activity.

Dundee and Angus College IT systems down after ransomware infection

Please see latest intel vulnerability notice for high rated threat

Malwarebytes publish their 2020 state of malware report.

Interesting findings, Mac endpoints showing higher rate of attacks than Windows for the first time.

Sonicwall publish their latest Cyber Security Report 2020, this provide the very latest insites on security trends, threat analysis and state of the cyber landscape.

Read this now.

Latest threat report from UK National Cyber Security Centre