Back to Insights

Coronavirus Infects Thousands Of Devices Worldwide

Cyber security 02/11/2020 - 10:52 by Sudhakaran R

Criminals get on health worries to trick victims into downloading malware

Cybercriminals are taking advantage of worldwide fears surrounding the deadly coronavirus by sending out malware-laden emails supposedly offering guidance.

Multiple email campaigns are detected by security firms monitoring for the most recent threats, all of which use coronavirus as a hook to undertake and find victims to open infected messages.

There are nearly 7,000 confirmed cases of coronavirus worldwide, the bulk of which are in China where there have a minimum of 170 deaths.

Cybercriminals are sending out emote-laced emails with authentic-looking public service organization logo and a warning message about the Coronavirus threats and prevention information to victims. Sadly, naive people believe it to be benign and click on the link inside the package for more information to be told about a way to prevent the spread of the virus and symptoms to appear out for. Instead, the link takes them to a malicious website, which can allow hackers to put in the malware into the PC without the users’ knowledge.

The first major malware campaign was detected by IBM X-Force Threat Intelligence and targets victims with coronavirus infection reports in various Japanese prefectures including the main population centers of Gifu, Osaka, and Tottori.

What is Emotet?

Emotet could be a banking trojan, which has been around since 2014. But, it’s become more active in recent years affecting both individuals and company users. Emotet is one in all the biggest malware botnets operative today with Proofpoint noting that its recent research reports found it accounted for nearly 12 percent of all malicious email worldwide during that quarter.

Elsewhere, security experts at Kaspersky have discovered malicious files disguised as documents associated with coronavirus.

The malicious files were disguised as pdf, mp4, Docx files, with names that implied they contained video instructions on a way to protect yourself from the virus, updates on the threat and even virus detection procedures.

However, the files actually contained a variety of threats, including Trojans and worms that are capable of destroying, blocking, modifying or copying data, likewise as interfering with the operation of computers or computer networks.

“The coronavirus, which is being widely discussed as a serious news article, has already been used as bait by cybercriminals. So far, we’ve got seen only 10 unique files, but as this type of activity often happens with popular media topics then we expect that this tendency may grow. As people still be worried about their health, we may even see more and more malware hidden inside fake documents about the coronavirus being spread,” comments Anton Ivanov, Kaspersky malware analyst.

Emotet Spread

The Emotet sample first infects the initial system with a self-extracting RAR file, containing two binaries (worm.exe and repair.exe) used for the Wi-Fi spreading. After the RAR file unpacks itself, Worm.exe executes automatically.

The worm.exe binary immediately begins profiling wireless networks so as to aim to spread to other Wi-Fi networks. Emotet makes use of the wlanAPI interface to try and do this. wlanAPI is one in all the libraries utilized by the native Wi-Fi application programming interface (API) to manage wireless network profiles and wireless network connections.

Once a Wi-Fi handle has been obtained, the malware then calls WlanEnumInterfaces, a function that enumerates all Wi-Fi networks currently available on the victims’ system. The function returns the enumerated wireless networks during a series of structures that contain all information associated with them (including their SSID, signal, encryption and network authentication method).

Once the information for every network has been obtained, the malware moves into the reference to “brute-forcing loops”. Attackers use a password obtained from “internal password lists” (it’s not clear how this internal password list has been obtained) to aim to form the connection. If the connection isn’t successful, the function loops and moves to the subsequent password on the password list.

If the password is correct and also the connection is successful, the malware sleeps for 14 seconds before sending an HTTP POST to its command-and-control (C2) server on port 8080, and establishes the connection to the Wi-Fi network.

Then, the binary begins enumerating and attempting to brute-force passwords for all users (including any Administrator accounts) on the newly-infected network. If any of those brute forces are successful, worm.exe then installs the opposite binary, service.exe, onto the infected devices. to realize persistence on the system, the binary is installed under the guise of “Windows Defender System Service” (WinDefService).

“With buffers containing either a listing of all usernames successfully brute-forced and their passwords, or the administrator account and its password, worm.exe can now begin spreading service.exe to other systems,” said researchers. “Service.exe is that the infected payload installed on remote systems by worm.exe. This binary includes a PE timestamp of 01/23/2020, which was the date it absolutely was first found by Binary Defense”.

After service.exe is installed and communicates back to the C2, it begins dropping the embedded Emotet executable. during this manner, the malware attempts to infect as many devices as possible.

Protecting Against Emotet

Emotet, who started out as a banking trojan in 2014 and has grown continuously to become a full-service threat delivery mechanism, can mount a range of malware on victim machines like information stealers, email harvesters, self-propagation mechanisms and ransomware.

On their part, researchers advise to block this new Emotet technique by using strong passwords to secure wireless networks.

“Detection techniques for this danger include active monitoring of endpoints for new services being introduced and investigating suspicious services or any processes operating from temporary directories and application data folders for user profiles”

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Coronavirus infects thousands of devices worldwideCriminals get on health worries to trick victims into downloading malware.