COVID-19: CYBERSECURITY WATCH #5 – April 16th, 2020

In light of the current health crisis, the CERT of (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.


Focus on the “Grandoreiro” malware

Attack: “Grandoreiro” malware campaign targets the Spanish banking sector using COVID-19 related videos
Method: Malicious Chrome extension
Target: Spanish banking sector
Publication date: April 13th, 2020

Researchers from the IBM X-Force team have noticed the spread of a specific malware from Brazil to Spain over the past few months. Known as “Grandoreiro”, this malware is a Trojan horse targeting the session cookies of users navigating on their bank’s website through a malicious extension on the Chrome browser.

There are several steps in the infection. First of these is a phishing campaign. Attackers take advantage of the global health crisis to entice users to install the malware “loader”. However, there are various campaigns based on different topics. This “loader” does not yet contain the virus load and is publicly available on GitHub, a recognized development management platform. Once the user installs this loader (with an .msi extension), the malicious load is then downloaded from hardcoded addresses in the loader. The victim’s computer is now infected.

Second step: Establishing a communication channel. From this point on, the malware will attempt to communicate with a command-and-control (C&C) server. Prior to initiating a connection to this server, an algorithm checks that the malware’s execution is the result of a recent phishing campaign. Otherwise, communications go to localhost.

Third step: Data extraction. Once the SSL/TLS-encrypted communication with the C&C server is established, the malware can send information about the victim’s machine and the clipboard contents to the attackers. Most importantly, remote control is then possible.

Final step: Installing the Chrome extension. After a forced reboot and a few more minutes, the “” file is written by the malware on the victim’s hard drive. This compressed file contains the legitimate Chrome browser extension “Edit This Cookie”. However, this is an altered version made by the malware’s authors. A new Chrome browser shortcut appears, allowing the Chrome browser to launch with the new malicious extension loading as a parameter. 

Once activated on the infected device, this malware sits in the background waiting for the victim to launch Chrome using the new shortcut and start browsing the website of a targeted bank. At this point, a communication begins in real time between the C&C server and the victim by displaying malicious images on his screen in order to incite him to maintain the current session and provide information that may help the attacker to carry out transfers from the victim’s account.



Attack: Following an increase in online meetings due to containment, a phishing campaign targets telecommuting employees using the Cisco Webex online conferencing platform
Method: Phishing
Target: Webex user e-mail
Publication date: April 9th, 2020
Description: The phishing campaign replicates the content of an actual Cisco security advisory from December 2016 urging users to update the Cisco Webex online conferencing platform on the pretext of a critical vulnerability.


Attack: Two Dutch government websites providing information on the COVID-19 pandemic targeted by Distributed Denial of Service (DDoS) attacks
Method: Distributed Denial of Service Attack (DDoS)
Target: Dutch government websites
Publication date: April 14th, 2020
Description: The two government sites hit by the attack on March 19th were unavailable for several hours. On April 10th, Dutch police apprehended a 19-year-old man suspected of being the perpetrator and shut down 15 websites offering botnets for hire (DDoS-for-hire).


Attack: U.S. Department of Defense personnel telecommuting during the COVID-19 pandemic targeted by spear-phishing attacks
Method: Spear-phishing
Target: U.S. Department of Defense personnel telecommuting
Publication date: April 13th, 2020
Description: Fraudulent e-mails targeting Pentagon employees working from home have increased since the start of the COVID-19 pandemic. Attackers are trying to deceive their targets, most commonly by impersonating family members or stores where they regularly shop.



Attack: More than 500,000 Zoom user accounts for sale on the darknet
Method: Authentication credentials traffic
Surface/Application: Darknet
Publication date: April 15th, 2020
Description: The Zoom online conferencing tool, however, is not at fault, however as these credentials were obtained through credential stuffing, which allows hackers to take previously stolen passwords and try them out on many other accounts. The Zoom users in this database reused a password that they had already used elsewhere.


Attack: Generators of derogatory certificates that can collect data
Method: Collection of sensitive data and generation of advertising revenue
Surface/Application: Android Application
Publication date: April 14th, 2020
Description: At least three Android applications capable of generating certificates of exit during this period of containment are accused of collecting sensitive data and generating advertising revenue without the users’ knowledge.


Attack: Crooks are selling blood and saliva on the darknet that is allegedly contaminated with COVID-19
Method: Scam
Surface/Application: Own Shop, a darknet market
Publication date: April 7th, 2020
Description: These crooks are trying to exploit for their own benefit an avenue for COVID-19 treatment that relies on the use of blood from people who are already contaminated.


Attack: Facebook sues LeadCloak for spreading scams related to COVID-19
Method: Hindering the Advertising Review System
Surface/Application: Facebook
Publication date: April 9th, 2020
Description: Facebook is suing LeadCloak for “violating” its terms of use by running scams related to COVID-19 and other issues. LeadCloak allegedly managed to disseminate this content by hiding the nature of the website linked to the advertisement in question.


Attack: Fake association collects donations to support the fight against the COVID-19 pandemic in Africa
Method: Identity Theft Scam
Surface/Application: Fraudulent e-mails redirecting to an American website selling personalized clothing
Publication date: April 8th, 2020
Description: The crooks, based in Turkey, sent fraudulent e-mails imitating a French association to lure their targets to an American website where the said clothes are sold. These fraudulent pages have since been removed from the online shop.


Attack: Interpol uncovers phishing campaigns and prepayment fraud in connection with COVID-19
Method: Fake mask sale / bank transfer
Surface/Application: Fraudulent website
Publication date: April 14th, 2020
Description: Financial institutions and authorities in Germany, Ireland and the Netherlands, in a case coordinated by Interpol, uncovered a major elaborate fraud network. A fake website claimed to be selling nearly 10 million masks at a time when a shortage was predicted. Once payment was made, the thieves claimed that the funds had not been received and that another transfer was needed to ensure delivery.


Attack: Cybercriminals make promotional offers on hacking tools during the COVID-19 pandemic
Method: Sale of piracy tools
Surface/Application: Darknet
Publication date: April 9th, 2020
Description: Tools for distributing spam and setting up DDoS attacks are being discounted on the darknet during the COVID-19 pandemic. Data stolen by hackers is also sold at prices below its usual value.


Useful ressources

Type of resources: Publication of a joint advisory on COVID-19 cyber threats by the UK National Cyber Security Center (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA)
Target: The general public
Publication date: April 8th, 2020
Description: The British and American security agencies have jointly issued an advisory to warn of cyber threats posed by the coronavirus crisis. The most frequently observed frauds and threats are informed in this notice as well as the means and recommendations to counter/prevent these attacks. Ways to counter these attacks are also discussed.


Type of resources: Publication of a purple notice* to support medical facilities in the fight against cyber attacks
Target: Hospitals and health centers
Publication date: April 4th, 2020
Description: Interpol’s Cyber Crime Threat Response team monitors all cyber threats related to COVID-19 and is committed to assisting member countries’ police to investigate ransomware cases and providing technical support for technical medical facilities.
*Violet notices provide information on modus operandi.


Type of resources: Cybersecurity professional lists on Github the cybersecurity resources and training that became free during the COVID-19 pandemic
Target: Students and cybersecurity professionals
Publication date: Updated on April 15th, 2020
Description: This Coastal Information Security Group employee is continually contributing to this non-exhaustive list of conferences, training courses, workshops, books and podcasts on the topic of cybersecurity. Access to free training courses usually requires the creation of an online account. 


Type of resources: ScanTitan published on Github a list of malicious domain names and IPs exploiting the COVID-19 pandemic
Target: Technology and cyber entities
Publication date: April 11th, 2020
Description: ScanTitan Threat Intelligence is a repository of COVID-19 related cyber threat intelligence feeds including a list of new domain names with the keywords “coronavirus” and more.


Type of resources: A medical search engine on COVID-19 is based on artificial intelligence
Target: Health professionals
Publication date: April 14th, 2020
Description: This artificial intelligence-based platform cross-references what is known from the medical literature with data from the electronic medical records of COVID-19 patients. The goal is to enable healthcare professionals to find quick and accurate answers to key questions about the pandemic.


Other News

Country: France
Subject: French National Assembly has published its recommendations for the implementation of the French digital tracing application StopCovid
Publication date: April 11th, 2020
Description: Although it recommends its download to be on voluntary basis, the National Assembly does not rule out the introduction of coercive measures, so long as the privacy violations are proportionate to the objectives sought and that the use of the application is subject to a time limit.


Country: United Kingdom
Subject: Apple and Google are teaming up with the British government to implement a digital tracking system for people infected with COVID-19
Publication date: April 13th, 2020
Description: Developed by the National Health Service (NHS), this application is expected to be based on Bluetooth technology. A beta version should be tested as early as next week in a region of northern England.


Country: International/Canada
Subject: COVID-NET, a tool based on artificial intelligence that could detect COVID-19 infections from X-rays
Publication date: April 2nd, 2020
Description: Developed by DarwinAI, a Canadian start-up, this artificial intelligence relies on deep learning to analyze chest X-ray images of patients under suspicion of COVID-19. Developed from 5,000 x-rays, this tool would enable healthcare professionals to interpret the results much more quickly.


Country:  Italy
Subject: Surveillance drones patrol the streets of Treviolo to search for people who might be infected by COVID-19
Publication date: April 10th, 2020
Description: In the town of Treviolo, the epicenter of the COVID-19 outbreak in Italy, drones are monitoring the population. These drones are capable of taking the temperature of the inhabitants and communicating with them to provide security measures.


Country:  Germany
Subject: Germany has deployed a COVID-19 pandemic tracking application for connected watches
Publication date: April 8th, 2020
Description: The German Robert-Koch Institute has launched an application to monitor the epidemic on a voluntary basis. “Corona-Datenspende” has been validated by the German public health authority and aims to contain the spread of the virus by retrieving user data such as heart rate and body temperature.


Country: International
Subject: Raspberry Pi Zero microcomputer to equip artificial respirators used to treat COVID-19
Publication date: April 14th, 2020
Description: For only 5 euros, the Raspberry Pi Zero microcomputer will equip artificial respirators to meet the growing demand for health services. The first tests will be carried out in Colombia.

Country: France  
Subject: The French Ministry of the Armed Forces collaborates with the SME BforCure to develop a connected mobile device capable of detecting COVID-19 in less than 30 minutes.
Publication date: April 15th, 2020
Description: BforCure has already received 1.8 million euros from the French Ministry of the Armed Forces to develop a device capable of detecting the virus in a nasal sample in less than 30 minutes using Fastgene technology. A first prototype should be ready in six months and will be used in priority in nursing home and emergency vehicles.


Back to the previous newsletters of CYBERSECURITY WATCH :