COVID-19: CYBERSECURITY WATCH #4 – April 9th, 2020

In light of the current health crisis, the CERT of (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.


Focus on the COVID-19.exe malware


Attack: The ‘COVID-19’ malware erases your machine’s data and corrupts its MBR
Method: Overwrites the Master Boot Record
Target: Computers’ Master Boot Records 
Publication date: March 31st, 2020

A team of security researchers known as the MalwareHunterTeam have recently discovered a malware called “COVID-19.exe” that attacks the integrity of your computer by editing its MBR. MBR stands for “Master Boot Record”, it is the first sector of a hard drive on which we find, amongst other things, a boot routine that loads the operating system of the machine. The MBR is used in the very first stages of booting, to launch an operating system such as Microsoft Windows for example.

As the malware runs, it firstly places several files in a temporary folder as it creates another hidden folder called “COVID-19”. The files are then moved to this brand new directory. Then comes the “corruption step”, which starts with the execution of the main file, entitled “coronavirus.bat”, that changes registry keys to perform several actions:

  • Disable the task manager (to prevent the user from killing the process);
  • Deactivate the user access control (the UAC), a window that pops and asks for a password, or to validate an action that requires a privileged access ;
  • Changes the wallpaper to Wallpaper.jpg and prevents the user from restoring it;
  • Adds persistence.

Once the registry keys are changed, a message appears in the console indicating that the computer will restart. After the reboot, a new executable is launched, “mainWindow.exe” which only serves to distract the user while the malware overwrites the MBR. At this point, the malware has completed its task and the next time the computer is rebooted, a message will be displayed to the user: “Created By Angel Castillo. Your Computer Has Been trashed. »

If the user is completely unable to reboot the operating system, all is not lost! The MBR can be repaired with specific tools to fix the issue. This type of malware does not ask for money in the form of a ransom, but is specifically designed to destroy the victims’ MBR.




Attack: DarkHotel Group exploits a zero-day vulnerability in Sangfor’s SSL VPN servers to attack Chinese administrations and obtain information on their management of COVID-19
Method: Exploiting a zero-day vulnerability
Target: Chinese Government Agencies and Diplomatic Missions
Publication date: April 6th, 2020
Description: According to Qihoo 360, DarkHotel exploited a zero-day flaw in the VPN servers to take control and replace an update file with a booby-trapped version. Supposedly operating from the Korean peninsula, the group is reportedly seeking to acquire information about China’s handling of the COVID-19 pandemic. 

Attack: The Italian social security website has been the victim of several computer attacks
Target: Website of the Italian Social Security, INPS
Publication date: April 3rd, 2020
Description: While 339,000 self-employed and seasonal workers were sending in their applications for the exceptional financial assistance offered by the INPS, its website was taken offline by a cyberattack.

Attack: Chinese hacker group hides behind a chain of cyberinfection linked to the coronavirus
Method: Fraudulent e-mails
Target: Mongolian public sector entity
Publication date: March 2020
Description: Posing as the Mongolian Ministry of Foreign Affairs in connection with the management of COVID-19, a cybercriminal group attempted to convince Mongolian public sector staff to provide them with access to their private network in order to retrieve data. 

Attack: Attackers posing as human resources and payroll services to extract this information from employees
Method: Identity Theft
Target: Between 20,000 and 50,000 inboxes
Publication date: April 8th, 2020
Description: Using the pretext of COVID-19 to justify changes to corporate payroll services, cybercriminals attempt to obtain employee identifiers to access personal accounts and steal sensitive data.




Attack: Scammers target Australians financially impacted by the health crisis
Method: Identity Theft
Surface/Application Retirement Pensions
Publication date: April 7th, 2020
Description: As financially troubled Australians take advantage of the exceptional opportunity to access their retirement funds, cybercriminals are seeking to obtain the information they need to access these funds under the guise of COVID-19.

Attack: Spear-phishing campaign mimics WHO documents to spread LokiBot malware
Method: Spear-phishing
Surface/Application: E-mails
Target: Individuals primarily in the United States, Turkey, Portugal, Germany and Austria
Publication date: April 4th, 2020
Description: The fraudulent e-mails claim to be fighting misinformation about COVID-19. However, they contain a compressed file in ARJ format that, once decompressed, releases the LokiBot malware, which is capable of stealing a vast amount of data, including passwords. 

Attack: Fraudulent organizations are laundering money by offering fake jobs to people financially affected by the COVID-19 pandemic
Method: Spear-phishing
Target: People in financial precariousness
Publication date: March 26th, 2020
Description: After “hiring” the candidate, bogus donors send money from hacked bank accounts to the victim’s account. The latter then convert the amount received into crypto currency for the attackers.


 Useful resources


Type of resources: “CoronaCheck”, the search engine that detects the infox
Target: The general public
Publication date: April 2nd, 2020
Description: EURECOM has developed an algorithmic “fact-checking” tool to verify COVID-19 related statistics on the web and contain fake news.  

Type of resources: The National Agency for Performance Support (ANAP) has set up a mutual assistance network for IS managers in medical establishments.
Target: IS managers of medical facilities
Publication date: March 30th, 2020
Description: Via its website, Anap offers a system for putting the IS managers of medical establishments in touch with medico-social IS experts. A forum dedicated to this mutual aid has also been set up.

Resource type: Facebook shares user data cards to help scientific research
Target: Researchers
Publication date: April 6th, 2020
Description: Facebook is committed to sharing new data about its users measuring their social connectivity and travel patterns. The goal is to help researchers better predict the evolution of the pandemic and measure the effectiveness of containment measures.

Resource type: French government launches two chatbots in collaboration with WhatsApp and Facebook to address fake news about COVID-19
Method: Chatbots
Surface/Application: WhatsApp and Messenger
Publication date: April 6th, 2020
Description: Accessible every day, these two chatbots aim to combat fake news and promote hygiene and social distancing measures.

Resource type: The WHO fights fake news on WhatsApp
Method: Chatbots
Surface/Application: The instant messaging application WhatsApp
Publication date: March 21st, 2020
Description: Faced with the massive spread of more or less reliable information on COVID-19 through the app, the WHO has set up a chatbot designed to untangle the true from the false by instantly answering users’ questions.


Other News


Subject: Robots are on the front line to fight the pandemic
Publication date: April 7th, 2020
Description: Robots are a valuable ally in the crisis we are going through: whether they are police officers or caregivers, they are involved on all fronts to help manage the crisis – in Tunisia, for example, robots are taking the place of police officers to enforce confinement measures.

Country: International 
Subject: Google Maps publishes geolocation data for 131 countries to help governments assess the impact and effectiveness of social distancing measures
Publication date: April 3rd, 2020
Description: The anonymous data obtained with the geolocation of its users allows Google to measure the frequentation of public places and businesses.

Subject: U.S. and Chinese researchers have announced the upcoming launch of a tool using artificial intelligence to predict severe cases of COVID-19 
Publication date: March 30th, 2020
Description: This tool relies on an intelligent algorithm that analyzes indicators showing a strong possibility of developing severe respiratory distress syndrome. The objective is to enable doctors to treat at-risk patients as a priority.

Country: European Union
Subject: The European Data Protection Supervisor for the creation of a common backtracking application
Publication date: April 6th, 2020
Description: Similar to the French FDPA, the European EDPS calls for the development of a digital tracing app common to all member-states, as a way to protect the privacy of users and improve its efficiency.

Country: United States
Subject: U.S. Department of Justice Launches National Campaign to Eradicate Fraudulent Activity Online
Publication date: April 2nd, 2020
Description: Face with a flurry of attacks or frauds linked to the pandemic, the American justice system has decided to be uncompromising, and has published a list of good practices to follow.  


Back to the previous newsletters of CYBERSECURITY WATCH :