S21sec’s Threat IntelligenceDepartment

Weeklybulletin

S21secCOVID-19

March 20, 2020

CYBERSECURITYYOU CAN TRUST

Trickbot and Emotet are taking advantage of COVID19 news for encryption

Trickbot and Emotet trojans are using the latest updates regarding the Coronavirus to carry out their campaigns. During last week, it has been published in the media that Trickbot and Emotet are using text extracted from the CNN news about the COVID-19 in the malicious "file information" they use for the infection.

The use of this technique by malicious actors when encrypting binaries is intended to evade some antivirus engi-nes in order to avoid detection.

https://www.bleepingcomputer.com/news/security/trickbot-emotet-malware-use-coronavirus-news-to-evade-detection/

CCN-CERT publishes IOCs of phishing and malware campaigns taking advantage of the COVID19

On March 19th, CCN-CERT issued an alert regarding the increase in malware related with terms associated with coronavirus.

To prevent the infection during these campaigns, the CCN-CERT has published certain security recommendations, and has carried out different actions such as the publication of Indicators of Compromise of the detected campaig-ns, available at the following link.

https://loreto.ccn-cert.cni.es/index.php/s/oDcNr5Jqqpd5cjn

Blog where malicious APKs that take advantage of COVID19 are collected

The concern of cybersecurity experts about the increase in malware campaigns linked to Coronavirus, and the intention to protect those vulnerable people from falling into this type of fraud, has led many users to create blogs to show those campaigns that are taking place.

The following blog shows those malicious apps that are using those topics related with the coronavirus, collected through different sources. The creator of the blog also encourages the entire community of cybersecurity experts to keep the data updated through his Twitter.

https://lukasstefanko.com/2020/03/android-coronavirus-malware.html

CYBERSECURITYYOU CAN TRUST

Truce for the health sector due to the COVID-19 pandemic

According to BleepingComputer, the operators behind Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLoc-ker, and Ako are said to have told BleepingComputer of their intention to stop the attacks on health care institutions and medical organizations during the global COVID-19 crisis.

So far, written statements are available only from the DoppelPaymer and Maze operators. In the case of Doppel-Paymer, they assure that their target is normally not hospitals or health centres, so it will remain in this line. They also point out that, if they make an attack by mistake, they undertake to decrypt it free of charge.

On the other hand, Maze assures that the attacks against health entities have ceased until the crisis is under control. This information was reported in a “press release” that serves as official communication.

Although this news is positive for the management of health centers and health institutions, other ransomware families are not taking the same measures. Considering this fact, and in relation to the latest information on cyber-attacks experienced by hospitals worldwide, such as in the Canadian case, special vigilance is recommen-ded regarding the security of health centers that may become potential victims of cyber-attacks.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-to-stop-attacking-health-orgs-during-pandemic/

Spanish malware campaign usingthe Coronavirus

A spam campaign using emails with the subject ““Vacuna COVID-19: prepare la vacuna en casa para usted y su familia para evitar COVID-19'” (COVID-19 vaccine: prepare the vaccine at home for you and your family to avoid COVID-19’) has been detected. Cybercriminals attach to these emails a malicious .zip file which supposedly displays images of "anti-coronavirus items". When the user downloads the file, GuLoader is downloaded, which then deploys the malware Agent Tesla.

https://twitter.com/MarceloRivero/status/1240697626082693122?s=20

www.s21sec.com | (+34) 902 020 222 | intel@s21sec.com