Phishers hiding malware in fraudulent Covid-19 emails, hackers facing dilemmas
Skip to main content
  • Home
  • Economy
    • Aviation
    • Bazaar
    • Budget
    • Industry
    • NBR
    • RMG
    • Corporates
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Features
    • Book Review
    • Brands
    • Earth
    • Explorer
    • Fact Check
    • Family
    • Food
    • Game Reviews
    • Good Practices
    • Habitat
    • Humour
    • In Focus
    • Luxury
    • Mode
    • Panorama
    • Pursuit
    • Wealth
    • Wellbeing
    • Wheels
  • Epaper
  • More
    • Subscribe
    • Videos
    • Thoughts
    • Splash
    • Bangladesh
    • Supplement
    • Infograph
    • Archive
    • COVID-19
    • Games
    • Long Read
    • Interviews
    • Offbeat
    • Podcast
    • Quiz
    • Tech
    • Trial By Trivia
    • Magazine
  • বাংলা
The Business Standard

Friday
February 03, 2023

Sign In
Subscribe
  • Home
  • Economy
    • Aviation
    • Bazaar
    • Budget
    • Industry
    • NBR
    • RMG
    • Corporates
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Features
    • Book Review
    • Brands
    • Earth
    • Explorer
    • Fact Check
    • Family
    • Food
    • Game Reviews
    • Good Practices
    • Habitat
    • Humour
    • In Focus
    • Luxury
    • Mode
    • Panorama
    • Pursuit
    • Wealth
    • Wellbeing
    • Wheels
  • Epaper
  • More
    • Subscribe
    • Videos
    • Thoughts
    • Splash
    • Bangladesh
    • Supplement
    • Infograph
    • Archive
    • COVID-19
    • Games
    • Long Read
    • Interviews
    • Offbeat
    • Podcast
    • Quiz
    • Tech
    • Trial By Trivia
    • Magazine
  • বাংলা
FRIDAY, FEBRUARY 03, 2023
Phishers hiding malware in fraudulent Covid-19 emails, hackers facing dilemmas

Tech

TBS Report
09 April, 2020, 06:45 pm
Last modified: 09 April, 2020, 07:11 pm

Related News

  • Hong Kong says 'hello' to woo back visitors after Covid
  • US to end Covid-19 emergency declarations on 11 May
  • Covid remains a public health emergency, says WHO
  • Holiday trips within China surge after lifting of Covid curbs
  • India launches world’s 1st intranasal Covid vaccine

Phishers hiding malware in fraudulent Covid-19 emails, hackers facing dilemmas

Spyware turned out to be the most common malware class hiding in fraudulent COVID-19 emails, with AgentTesla topping the list of phishers’ favourite strains

TBS Report
09 April, 2020, 06:45 pm
Last modified: 09 April, 2020, 07:11 pm

Photo: Kacper Pempel via Reuters
Photo: Kacper Pempel via Reuters

Singapore-based organisation Group-IB's Computer Emergency Response Team (CERT-GIB) have analysed hundreds of coronavirus-related phishing emails between February 13 and April 1, 2020. 

Spyware turned out to be the most common malware class hiding in fraudulent COVID-19 emails, with AgentTesla topping the list of phishers' favourite strains.

Group-IB researchers also discovered that coronavirus had split hacker underground into those who capitalize on the pandemic and those who strongly oppose exploiting the crisis. 

Group-IB urged users to stay vigilant and pay close attention to any emails about coronavirus, especially now that most employees are working from home. 

Spyware: the most likely COVID-19 payload

CERT-GIB's report is based on analyses of coronavirus-related phishing traffic by the Threat Detection System (TDS) Polygon as part of operations to prevent threats spread online. 

Most COVID-19-related phishing emails analysed had different spyware strains embedded as attachments. 

Among the spyware strains, AgentTesla (45%), NetWire (30%) and LokiBot (8%) were the most actively exploited malware families. 

With some minor differences, all these malware samples are designed to collect personal and financial data. They can retrieve user credentials from browsers, mail clients and file transfer protocol (FTP) clients, capture screenshots, and secretly track user behaviour and send it to cybercriminals' C&Cs.

Most of the emails detected were in English. Those behind such COVID-related campaigns target government organizations and private companies. 

The emails were masked as advisories, purchase orders, face masks offers, and alerts or safety recommendations from the World Health Organization, UNICEF, and other international agencies and private companies such as Maersk, Pekos Valves, and CISCO. 

These companies are in no way involved in the scams, of course.

Example of a malicious email disguised as “UNICEF COVID-19 TIPS APP” with spyware in the attachment. Source: CERT-GIB
Example of a malicious email disguised as “UNICEF COVID-19 TIPS APP” with spyware in the attachment. Source: CERT-GIB

Example of a phishing email disguised as an offer of free masks. Source: CERT-GIB
Example of a phishing email disguised as an offer of free masks. Source: CERT-GIB

Cybercriminals have used the following file extensions to deliver malware samples: .gz, .ace, .arj, and .rar, three of which are archive formats. 

It's worth noting that .rar also became the second commonly used format to deliver archived malware in H1 2019 and accounted for 25% of all archived malicious files detected by Group-IB's CERT in the first half of 2019. 

To trick antivirus software, threat actors include the passwords for accessing the content in the email subject line, in the archive name, or in subsequent correspondence with the victim. 

Unless behavioural analytics is employed, such malware is likely to remain undetected.

Hacker underground split over coronavirus

Phishing emails exploiting coronavirus panic accounted for about 5% of all malicious emails detected and analysed by CERT-GIB over the review period. 

This relatively small percentage can partly be explained by the fact that not all cybercriminals are capitalizing on coronavirus fears. 

According to media reports, some ransomware gangs have stated that they will not target medical organizations during the outbreak. 

Group-IB's Threat Intelligence team has also detected a number of underground forum posts by users who urge others to stop exploiting COVID-19 for malicious purposes. 

Posts on a hacker forum in which users urge others to stop exploiting COVID-19. Source: Group-IB Threat Intelligence
Posts on a hacker forum in which users urge others to stop exploiting COVID-19. Source: Group-IB Threat Intelligence

The coronavirus crisis has affected many economies and the underground hacking economy is no exception. 

Group-IB Threat Intelligence has tracked down more than 500 posts on underground forums in which users offered coronavirus discounts and promotional codes on DDoS, spamming, and other services to stimulate demand, affected by the pandemic.  

Post on a hacker forum from a user providing a 20% discount and promo codes on spamming and domain registration services. Source: Group-IB Threat Intelligence
Post on a hacker forum from a user providing a 20% discount and promo codes on spamming and domain registration services. Source: Group-IB Threat Intelligence

Post on a hacker forum from a user announcing discounts on DDoS services due to the crisis caused by COVID-19. Source: Group-IB Threat Intelligence
Post on a hacker forum from a user announcing discounts on DDoS services due to the crisis caused by COVID-19. Source: Group-IB Threat Intelligence

Remote work increases the likelihood of cyberattacks 

"People should remain particularly vigilant now that most people are working from home due to the pandemic," comments Aleksandr Kalinin, Head of Group-IB's Computer Emergency Response Team (CERT-GIB). 

"We predict an increase in the number of cyberattacks on unprotected home networks used by employees who have switched to remote work as the virus spreads offline," the comment reads. 

"Corporate security teams should reassess their approach to securing corporate digital space by strengthening their perimeter, which now includes employees' home devices. A single employee who opens a malicious file from an undetected phishing email could jeopardize the whole company's operations," the comment further reads. 

All remote employees' email accounts, as well as the VPNs, used to access corporate networks should be protected with two-factor authentication at least. 

Moreover, implementing network protection solutions is needed to analyse incoming and outgoing emails. Network segmentation and access right differentiation are both required. 

It is also recommended that even remote user activity be covered by the organization's perimeter security tools.

Coronavirus chronicle / Top News

Spyware / COVID-19 / Phishing / Cyber Security

Comments

While most comments will be posted if they are on-topic and not abusive, moderation decisions are subjective. Published comments are readers’ own views and The Business Standard does not endorse any of the readers’ comments.

Top Stories

  • International Monetary Fund logo : AP via UNB
    IMF sets time-bound reform agenda as it releases first tranche of loan
  • Shipped Bhola gas to cost higher, yet cheaper than spot LNG
    Shipped Bhola gas to cost higher, yet cheaper than spot LNG
  • January exports rise nearly 6% riding on high-value RMG items
    January exports rise nearly 6% riding on high-value RMG items

MOST VIEWED

  • Photo: Collected
    OpenAI launches ChatGPT subscription plan for $20 per month
  • Photo: Collected
    ChatGPT: the promises, pitfalls and panic
  • Rendered images by DALL-E 2 from the text prompt: “a hydrogen fueled plane, digital art.”
    Could hydrogen-powered aeroplanes be the future of aviation?
  • Illustration: TBS
    AI tools beyond ChatGPT and DALL-E 2
  • Twitter says users will be able to appeal account suspension
    Twitter says users will be able to appeal account suspension
  • Bye bye! Photographer: Michael Zarrilli/Getty Images North America via Bloomberg
    Meta says Trump to be allowed back on Facebook, Instagram

Related News

  • Hong Kong says 'hello' to woo back visitors after Covid
  • US to end Covid-19 emergency declarations on 11 May
  • Covid remains a public health emergency, says WHO
  • Holiday trips within China surge after lifting of Covid curbs
  • India launches world’s 1st intranasal Covid vaccine

Features

Six Jeep Wranglers and a special XJ Jeep Cherokee set out into the depths of Lalakhal, Sylhet for an experience of a lifetime. Photo: Ahbaar Mohammad

Jeep Life Bangladesh: A club for Jeep owners to harness the power of their vehicles

19h | Wheels
While the Padma bridge in operation is changing the lives of millions in the south for the better, passenger rush to Shimulia ghat died down. Photo: Masum Billah

How are the Shimulia ghat businesses faring after Padma bridge?

21h | Panorama
After so many investments going embarrassingly wrong, as was the case with Sam Bankman-Fried, perhaps tech investors’ preference for less experience will wane. Photo: Bloomberg

Are you the next Steve Jobs? Good luck raising money in 2023

21h | Panorama
An elderly couple's lonely battle to save Dhaka's trees

An elderly couple's lonely battle to save Dhaka's trees

1d | Panorama

More Videos from TBS

A proper price formula can help investors to plan big

A proper price formula can help investors to plan big

11h | TBS Round Table
Rumors about Sarika that everyone thinks are true

Rumors about Sarika that everyone thinks are true

9h | TBS Entertainment
Mugging rife in Tejgaon, murder in Wari

Mugging rife in Tejgaon, murder in Wari

11h | TBS Current Affairs
What secrets are hidden behind Adani's wealth?

What secrets are hidden behind Adani's wealth?

10h | TBS Stories

Most Read

1
Bapex calls candidates for job test 9 years after advert!
Bangladesh

Bapex calls candidates for job test 9 years after advert!

2
Leepu realised his love for cars from a young age and for the last 40 years, he has transformed, designed and customised hundreds of cars. Photo: Collected
Panorama

'I am not crazy about cars anymore': Nizamuddin Awlia Leepu

3
Photo: Collected
Energy

8 Ctg power plants out of production

4
The International Monetary Fund (IMF) logo is seen outside the headquarters building in Washington, U.S., September 4, 2018. REUTERS/Yuri Gripas/File Photo
Economy

IMF approves $4.7 billion loan for Bangladesh, calls for ambitious reforms

5
Photo: Collected
Court

Japanese mother gets guardianship of daughters, free to leave country

6
Fund cut as Dhaka's fast-track transit projects on slow spending lane
Infrastructure

Fund cut as Dhaka's fast-track transit projects on slow spending lane

EMAIL US
[email protected]
FOLLOW US
WHATSAPP
+880 1847416158
The Business Standard
  • About Us
  • Contact us
  • Sitemap
  • Privacy Policy
  • Comment Policy
Copyright © 2023
The Business Standard All rights reserved
Technical Partner: RSI Lab

Contact Us

The Business Standard

Main Office -4/A, Eskaton Garden, Dhaka- 1000

Phone: +8801847 416158 - 59

Send Opinion articles to - [email protected]

For advertisement- [email protected]