COVID-19 Used To Hide Distribution of Cerberus
Situation
Hackers are using the COVID-19 Pandemic to spread malware and trojans, specifically using a trojan called Cerberus to public phone and tablet devices. This type of attack could potentially infect and compromise thousands of machines. This trojan is used to steal Credit Card numbers and personal user data from these devices.
Problem
This type of trojan will attempt to install itself from a webpage, link, or by opening the trojan from an email. The user will be prompted to install the application. If installed the user will then receive notifications every 10 seconds for permissions until granted or the application is force closed. If permission is granted it will begin to dig through the phone and create a database file of personal information and financial information then contact its command and control center to upload the data.
Implication
If a user installs and grants permission to the application it can exfiltrate credit card information and personal information like contacts and messages to the attacker's system. This data can then be sold or used to negatively affect the victim.
Need
To prevent yourself from becoming a victim, always install only software you know from a valid developer and a trusted source like the Google Play Store or Apple App Store. If you are not certain do not install it, Google and Apple Stores by default restrict installations to signed software vendors and developers. Use certified and tested Anti-Virus applications on your mobile devices and ensure they are up to date. Keep the operating system and software packages up to date. Delete and remove unused applications to limit the attack surface of the device as all software has a chance to have an unpatched vulnerability to be exploited.
If you believe you have installed the Corona-Apps.apk or Cerberus infected package the only way to remove this file is to force stop the application then uninstall the app. If you attempt to uninstall while it is running the uninstall prompt will flash then close the uninstaller.
For more information please see below
Covid-19 Cerberus:
https://exchange.xforce.ibmcloud.com/collection/9315d32f03682dbf897bc7c61e2392bc
Avira blog about Covid-19 Cerberus: https://blog.avira.com/cerberus-flies-under-covid-19-flag/
Coronavirus Malware Distributed to WordPress Plugin
Situation
A WordPress Coronavirus tracking plugin vulnerability is allowing hackers to create and distribute a modified version of the plugin and compromise other sites hosted on the same server with the plugin, allowing backdoor access to the other sites.
Problem
A newly created WordPress plugin created to provide updates on the COVID-19 Coronavirus has been found vulnerable to exploit and hackers are using the vulnerability to modify the plugin to backdoor websites using the plugin and other websites hosted on the same server with the plugin. This allows popups and website redirection to generate ad revenue off the infected machines. The Plugin also is able to gain persistence every time the page is loaded by appending code to a PHP file so it can be reloaded with every page visit or reload.
Implication
If a site is using the vulnerability, or infected plugin, the plugin is able to add popups and redirects to the webpage creating ad revenue for the attacker and giving the attacker a backdoor to infect other hosted sites on the server hosting the website. This could lower over all web traffic to your site, compromise your sites, and add unwanted web traffic or potential infections to the host server.
Need
To protect yourself and verify you are not infected ensure Anti-Virus is installed and updated, verify if you are using this plugin and that it’s from a valid trusted source and is up to date. Search for indicators of compromise in the environment by checking hash file values, links to these are below.
You can block all URL and IP based IOC’s at the firewall, IDS, web gateways, or router perimeter devices. We recommend keeping all applications and operating systems at the current released patch level to prevent unpatched exploits.
For more information please see below.
WordPress Coronavirus malware backdoor information: https://exchange.xforce.ibmcloud.com/collection/c1df07de41e6d67569855cd8d3a1bb57
Bleeping computers Release on this plugin attack: https://www.bleepingcomputer.com/news/security/wordpress-malware-distributed-via-pirated-coronavirus-plugins/
COVID Actors Using Pandemic To Launch Campaigns
Situation
Multiple malicious groups are using the COVID-19 Pandemic to phish people for personal information, credentials, or money in exchange for their exclusive or in-depth information on the virus or a possible treatment or cure. Some are pretending to be government biotech firms with important information but require personal validation before they can release the information. Where others use false Office365 logon webpages to gather credentials.
Problem
People tend to be susceptible to phishing scams, especially when told that there is an absolute rush or limited time to act on providing information or action. Generally a panic or a false reward is used to get someone to send information, access, or opening an infectious file to compromise the user or environment of the victim. Other attacks use files or false Office365 websites to phish credentials.
Implication
Phishing attacks are used to gather information or access to systems by relying on the end-user to provide information or access and open malicious materials such as attachments or links attempting to infect or gather information. If users are not careful when replying to emails or filling out webforms or opening attachments breaches can occur and loss of data and compromise of the environment could happen. If a user falls for the phishing attacks it can create a large attack surface for a deeper attack especially if credentials or confidential data is leaked or phished.
Need
To further protect yourself from email phishing and email attacks, only open and respond to emails you are expecting. Hover over URLs in an email to show the address it would direct you to and if you trust the address then type it into the search or address bar of your web browser. If you are uncertain do not click it. Avoid emails with attachments from people you do not know. If you are uncertain, call the person and verify. Email addresses can be spoofed and attackers use urgency to get information or access. Verify your anti-virus programs are running and up to date. Use an email filtering service and block known bad addresses at the perimeter level of your network. Verify the websites you are visiting. Always check the website URL and SSL certificate before entering any sensitive data.
For more information on the COVID-19 Phishing campaigns please visit: https://info.phishlabs.com/blog/covid-phishing-update-campaigns-addressing-a-cure
