Back to Insights

Coronavirus Infects Thousands Of Devices Worldwide

Cyber security 02/11/2020 - 10:52 by Sudhakaran R

Coronavirus Malware Infects Thousands Of Devices 

Cybercriminals are taking advantage of worldwide fears surrounding the deadly coronavirus by sending out malware-laden emails supposedly offering guidance.

Multiple email campaigns are detected by security firms monitoring for the most recent threats, all of which use coronavirus as a hook to undertake and find victims to open infected messages.

Criminals get health worries to trick victims into downloading malware

There are nearly 7,000 confirmed cases of coronavirus worldwide, the bulk of which are in China where there have been a minimum of 170 deaths.

Cybercriminals are sending out emote-laced emails with authentic-looking public service organization logos and a warning message about the Coronavirus threats and prevention information to victims. Sadly, naive people believe it to be benign and click on the link inside the package for more information to be told about a way to prevent the spread of the virus and symptoms to appear out for. Instead, the link takes them to a malicious website, which can allow hackers to put the malware into the PC without the users’ knowledge.

The first major malware campaign was detected by IBM X-Force Threat Intelligence and targets victims with coronavirus infection reports in various Japanese prefectures including the main population centers of Gifu, Osaka, and Tottori.

What is Emotet?

Emotet could be a banking trojan, which has been around since 2014. But, it’s become more active in recent years affecting both individuals and company users. Emotet is one of the biggest malware botnets operative today with Proofpoint noting that its recent research reports found it accounted for nearly 12 percent of all malicious emails worldwide during that quarter.

Elsewhere, security experts at Kaspersky have discovered malicious files disguised as documents associated with coronavirus.

The malicious files were disguised as PDF, mp4, and Docx files, with names that implied they contained video instructions on a way to protect yourself from the virus, updates on the threat, and even virus detection procedures.

However, the files contained a variety of threats, including Trojans and worms that are capable of destroying, blocking, modifying, or copying data, likewise interfering with the operation of computers or computer networks.

“The coronavirus, being widely discussed as a serious news article, has already been used as bait by cybercriminals. So far, we’ve seen only 10 unique files, but as this type of activity often happens with popular media topics then we expect that this tendency may grow. As people still be worried about their health, we may even see more and more malware hidden inside fake documents about the coronavirus being spread,” comments Anton Ivanov, Kaspersky malware analyst.

Emotet Spread

The Emotet sample first infects the initial system with a self-extracting RAR file, containing two binaries (worm.exe and repair.exe) used for the Wi-Fi spreading. After the RAR file unpacks itself, Worm.exe executes automatically.

The worm.exe binary immediately begins profiling wireless networks to aim to spread to other Wi-Fi networks. Emotet makes use of the wlanAPI interface to try and do this. wlanAPI is one of the libraries utilized by the native Wi-Fi application programming interface (API) to manage wireless network profiles and wireless network connections.

Once a Wi-Fi handle has been obtained, the malware then calls WlanEnumInterfaces, a function that enumerates all Wi-Fi networks currently available on the victims’ system. The function returns the enumerated wireless networks during a series of structures containing all associated information (including their SSID, signal, encryption, and network authentication method).

Once the information for every network has been obtained, the malware moves into the reference to “brute-forcing loops”. Attackers use a password obtained from “internal password lists” (it’s not clear how this internal password list has been obtained)  to form the connection. If the connection isn’t successful, the function loops and moves to the subsequent password on the password list.

If the password is correct and also the connection is successful, the malware sleeps for 14 seconds before sending an HTTP POST to its command-and-control (C2) server on port 8080 and establishes the connection to the Wi-Fi network.

Then, the binary begins enumerating and attempting to brute-force passwords for all users (including any Administrator accounts) on the newly infected network. If any of those brute forces are successful, worm.exe then installs the opposite binary, service.exe, onto the infected devices. to realize persistence on the system, the binary is installed under the guise of “Windows Defender System Service” (WinDefService).

“With buffers containing either a listing of all usernames successfully brute-forced and their passwords, or the administrator account and its password, worm.exe can now begin spreading service.exe to other systems,” said researchers. “Service.exe is the infected payload installed on remote systems by worm.exe. This binary includes a PE timestamp of 01/23/2020, which was the date it was first found by Binary Defense”.

After service.exe is installed and communicates back to the C2, it begins dropping the embedded Emotet executable. In this manner, the malware attempts to infect as many devices as possible.

Protecting Against Emotet

Emotet, which started as a banking trojan in 2014 and has grown continuously to become a full-service threat delivery mechanism, can mount a range of malware on victim machines like information stealers, email harvesters, self-propagation mechanisms, and ransomware.

On their part, researchers advise blocking this new Emotet technique by using strong passwords to secure wireless networks.

“Detection techniques for this danger include active monitoring of endpoints for new services being introduced and investigating suspicious services or any processes operating from temporary directories and application data folders for user profiles”

The only way to protect what you’ve worked hard to build is to be vigilant regarding cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Coronavirus infects thousands of devices worldwideCriminals get on health worries to trick victims into downloading malware.