COVID-19: CYBERSECURITY WATCH #11 – May 28, 2020

In light of the current health crisis, the CERT of (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News combines a variety of information such as government measures taken in the area of cybersecurity.


Focus on the NetSupport Manager Remote Access Trojan (RAT)

Attack: COVID-19 themed phishing campaign spreads the NetSupport Manager RAT
Method: Phishing
Target: Windows users
Publication date: 05/19/2020

A large-scale phishing campaign uses COVID-19 lures to entice victims to open a malicious Excel document. The macros included in the attachment download a Remote Access Tool (RAT), allowing attackers to control the infected hosts.

The e-mail comes from an e-mail address that attempts to impersonate the John Hopkins University, which provides a map and data related to COVID-19 ( The e-mail contains an Excel 4.0 document with a generic name followed by a 4-digit identifier “covid_usa_nyt_XXXX.xls”. The identifier is dynamically generated to bypass potential static filters applied to attachments by some mail servers.

When opening the Excel document, different contents may appear, always related to COVID-19 data (tables, US map, graphs …). A warning message systematically appears to the user stating that the document intends to execute macros. If he agrees, the document will download “NetSupport Manager”, a usually legitimate support tool to assist users remotely. However, in this phishing campaign the tool is downloaded and run without the user’s consent before connecting back to a server controlled by the attackers.

Once this tool is downloaded, it is saved to disk with the name “dwm.exe” in a random folder located in %AppData%. This hides the tool’s operation by impersonating the Desktop Windows Manager. An unaware user would therefore not notice its presence when exploring the list of tasks running on the system.

Then, the attackers have control over the target’s machines. The NetSupport Manager tool is just is just one step before infecting individual hosts a mean to further attack and infect individual hosts. Additional items are downloaded and saved to the victims’ disk using this tool, such as Windows libraries (DLLs), executables, configuration files (INI) and scripts (VBScript and obfuscated Powershell). The following list provides a list of items when running the malware in a sandbox environment:

  • dwm.exe.bin
  • rt35.exe.bin
  • rt35_1_.exe
  • remcmdstub.exe
  • pcicapi.dll
  • dwm.exe
  • blowfish.dll
  • yujEtky.exe

These different elements establish a connection between the victim and a Command and Control server (C2) for the attacker to carry out arbitrary malicious actions on the hosts. It also ensures its persistence by registering the NetSupport Tool in the current user’s RUN registry key.

reg.Exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v dwm /t REG_SZ /d %APPDATA%\pqok59HY\dwm.exe /f

The only effective protection against this type of attack is to raise awareness users on the dangers of malicious e-mails. They ought to be informed that attachments should always be considered suspicious, especially when they come from unknown or untrusted sources.



Attack: The Indian Central Bureau of Investigation (CBI) warns about the Cerberus banking Trojan distributed via a phishing campaign using COVID-19 lures
Method: Fraudulent text messages
Target: Banking data of the Indian population
Publication date: 05/19/2020
Description: By tricking its victims by sending fraudulent text messages containing a malicious link, the Cerberus Banking Trojan steals financial data, including credit card numbers. In addition, this malware uses overlay techniques to trick the user into providing additional sensitive data and capture two-factor authentication information.


Attack: A COVID-19 themed phishing campaign targets banking institutions to spread a remote access Trojan
Method: Spear-phishing
Target: Indian cooperatives banks
Publication date: 05/12/2020
Description: The opening of compromised files contained in fraudulent e-mails distributes the JRat remote access Trojan, which can run on any OS. The malware modifies the registry key and drops a JAR file in the %appdata% location. Hardly detectable by antivirus software, it enables various malicious activities such as saving keys, downloading additional payloads and obtaining sensitive information of the victims.


Attack: Cybercriminals spread malware through a fraudulent Android application called “Covid”
Method: Infostealer malware
Target: Smartphone data
Publication date: 05/20/2020
Description: When the user runs the application, the malware sends the device data to a Command and Control server (C2) such as the SIM card serial number, contacts, text messages and IP addresses. However, this malware requires the infected device to be rebooted before being fully operational.



Attack: Cybercriminals impersonate LogMeIn online collaboration tool to extract user account credentials
Method: Phishing
Surface/Application: Fraudulent website
Publication date: 05/19/2020
Description: These fraudulent e-mails inform the recipient of a patch for a “zero day” vulnerability in one of LogMeIn’s products. Then, the user is prompted to download the update by following the given link, which redirects the user to a fake login page similar to the legitimate the official one. Cybercriminals can steal the victims’ LogMeIn authentication information and potentially gain access to their LastPass password manager.


Attack: A COVID-19 themed phishing campaign uses Google’s Firebase storage to collect personal data
Method: Phishing
Surface/Application: Fraudulent website
Publication date: 05/21/2020
Description: Cybercriminals are mimicking service provider to encourage their customers to click on a fake payment form hosted on Firebase Storage. It allows them to obtain their victims’ corporate credentials to conduct more attacks. Trustwave lists the compromise indicators of these phishing campaigns.


Useful ressources

Type of resources: International Data Processing Agreements (DPA) guidance on
Target: Public and private entities
Publication date: Updated on 05/13/2020
Description: The International Association of Privacy Professionals (IAPP) has listed official guidelines in about 50 countries. Those documents provide information to public and private entities about the collection of personal data, especially health data.


Type of resources: France Télévisions and launch an awareness-raising campaign about digital risks in the context of the health crisis
Target: All audiences
Publication date: 05/15/2020
Description: This campaign is composed of thematic videos and infographics broadcast on both institutions’ social networks. Broadcast since May 18 on France Télévisions group channels, these videos deal with password management, digital device updates, backups and phishing. 


Other News

Country: France
Subject: The French Data Protection Authority (CNIL) releases its recommendation on the implementation of the StopCovid digital tracking application
Publication date: 05/26/2020
Description: The Commission recommends users should be more rigorously informed about the application’s conditions of use and data storage modalities; especially from minors and their parents. It also stresses that the effectiveness of the application in containing the COVID-19 pandemic will have to be studied after its deployment and that its source code should be fully disclosed to the public.


Country: United States and Canada
Subject: Fitbit launches a study to develop an algorithm capable of detecting COVID-19 early symptoms
Publication date: 05/21/2020
Description: The wearable device manufacturer collects on a voluntary basis the physiological data of its users contaminated or suspected of being infected by the virus. The goal is to develop a model that can identify potential cases of COVID-19 at an early stage in order to isolate and treat them before the appearance of more severe symptoms.


Country: Israel
Subject: Israel limits COVID-19 smartphone tracking to “special cases”
Publication date: 05/24/2020
Description: The emergency regulations allowed by Israeli internal security service (Shin Bet) to track people’s cellphones during the COVID-19 crisis were amended by Parliament. Surveillance will now be restricted to specific cases when the epidemiological investigation is not sufficient.


Country: International
Subject: Google and Apple Exposure Notification API now available to public health agencies
Publication date: 05/20/2020
Description: Based on Bluetooth technology, this API can be integrated into existing digital tracking applications for countries wishing to adopt it. It allows users who have been in contact with proven cases of COVID-19 to be informed and should ensure the confidentiality of their data, which is stored on the device rather than on a centralized server. Without this API, digital tracking applications cannot use Bluetooth in the background, especially on iOS.


Country: Estonia
Subject: Estonia is testing a digital immunity passport 
Publication date: 05/23/2020
Description: With one of the world’s first digital immunity passports, Estonia is piloting its first tests in the workplace, allowing people to share their immunity status with a third party. Requiring a digital authentication, this passport generates a temporary QR code with the data collected. Regarding the nuances of immunity, few details have been provided by Back to Work, the company in charge of the project.


Back to the previous newsletters of CYBERSECURITY WATCH :