COVID-19: CYBERSECURITY WATCH #12 – June 5, 2020

In light of the current health crisis, the CERT of (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News combines a variety of information such as government measures taken in the area of cybersecurity.


Focus on the Trickbot banking Trojan

Attack: New update of the Trickbot Trojan propagated via phishing campaigns
Method: Data theft
Target: Companies and individuals
Publication date: 05/28/2020

Palo Alto Networks researchers presented in detail the latest update of Trickbot, deployed in April, which implements a better method to evade detection during domain controller infections.

Discovered for the first time in 2016, Trickbot is a banking Trojan that attacks domain controllers with a furtive approach to minimize its detection. Trickbot provide a backdoor access to uploads others malware and steal information. The main executable will load other modules for each propagation path it uses:

  • The mshare and tab modules:
    • An infected Windows client retrieves a new TrickBot using an HTTP URL.
    • The infected Windows client sends this new TrickBot over SMB traffic to the vulnerable Domain Controller.
  • The mworm module:
    • The infected Windows client uses an SMB exploit targeting the vulnerable Domain Controller.
    • The vulnerable Domain Controller retrieves a new TrickBot using an HTTP URL and self-infects.

The differences brought by the evolution of the malware concern the module “mworm” which is no longer used and replaced by a new module called “nworm” which performs the following actions:It retrieves an encrypted, or otherwise encoded binary, over network traffic that represents a TrickBot executable file:

  • It retrieves an encrypted or encoded binary from network traffic that represents a TrickBot executable file.
  • The infection is now in Random Access Memory so there is no trace on the file system and the malware is not persistent after a reboot.
  • This is a much better method of evading detection on an infected Domain Controller.

The following Indicators of Compromise (IOC) indicators can be found on the network traffic:

A phishing campaign uses COVID-19 to spread Trickbot with an infected Microsoft WORD file.

The phishing e-mails from this campaign contain as attachments a Word document purporting to be a list of precautions to take regarding COVID-19. The file actually contains a VBA script with an injector uploading a variant of the Trickbot malware. If the victim enables the VBA script, a jse script is executed. This script contains Trickbot code and its modules.

Some Indicators of Compromise are available in the Sophos report.



Attack: A phishing campaign mimics the Italian digital tracing app “Immuni” to spread the [F]UNICORN ransomware
Method: Phishing
Target: General public in Italy
Publication date: 05/25/2020
Description: According to the CERT-AgID, a ransom demand of 300 euros is sent to the victim in exchange for the decryption key as soon as the fake app is running. However, cybercriminals seem to be inexperienced. Since the attackers’ contact e-mail is invalid, the victims cannot obtain their decryption key. They can nevertheless retrieve it in clear text by inspecting the network traffic logs. Furthermore, the malware code turns out to be a simple copy and paste of other ransomware.


Attack: Cybercriminals copy the Indian digital tracing app “Aarogya Setu” to distribute spyware
Method: Malicious application
Target: General public in India
Publication date: 05/20/2020
Description: Researchers at SonicWall Labs point out the fake app is superimposed on the original in the resource file. A technique used to make the user believe he has installed “Aarogya Setu”, with the logo and name identical to the original. If deleted, the malicious app remains on the device. Once installed, this spyware can make phone calls, record sound, send text messages and record videos from the camera.



Attack: Cybercriminals impersonate World Health Organization (WHO) to steal personal data
Method: Phishing
Surface/Application: Fraudulent websites
Publication date: 05/28/2020
Description: According to the Google’s Threat Analysis Group (TAG) team, many Gmail accounts mimicking the WHO have been created mimicking. Cybercriminals have sent e-mails urging victims to sign up for WHO notifications informing about COVID-19 related announcements and to log on fake websites similar to the official one. These websites encourage potential victims to fill in their Google account credentials and, in some cases, to provide more personal information.


Attack: A COVID-19 themed phishing campaign targets the UK TV Licensing to steal personal data
Method: Phishing
Surface/Application: Fraudulent websites
Publication date: 05/27/2020
Description: The UK’s National Fraud and Cyber Crime Incident Reporting Centre “Action Fraud” has recorded 260 reports related to a television license scam. False e-mails titled “Personalised Offer COVID19” claiming to be from the TV Licensing group pretend that the recipient’s direct debit has failed and he must pay to avoid prosecution. These messages contain links to fraudulent websites designed to steal personal and financial data.


Attack: Fake news claims that StopCovid is self-installing on smartphones
Method: Misinformation
Surface/Application: Social networks
Publication date: 06/01/2020
Description: Several websites claim that the government installed the StopCovid application on Android and iOS devices without user consent and prior to its official release. Actually, it refers to new privacy settings relating to the update coming with the deployment of the Google and Apple Exposure Notification API that allows Bluetooth to run in the background. The French government has refused to use this API and developed an alternative solution.


Useful ressources

Type of resources: Malware Bazaar database allows to identify malware related to COVID-19
Target: Technophiles/Companies
Publication date: Continually updating
Description: By using tags such as “COVID-19”, this platform provides information about malwares distributed in associated phishing campaigns. It also provides data sheets and a graph displaying daily malware monitoring.


Type of resources: UN launches the “Verified” initiative to combat misinformation related to COVID-19
Target: General public
Publication date: 05/21/2020
Description: “Verified” is intended to provide accurate information on the COVID-19 crisis. Focused on three main topics, science, solidarity and solutions, this initiative also aims to promote the sharing of reliable content whose veracity will be verified by the UN Department of Global Communications. The actors involved in the “Verified” initiative will also work in partnership with social media.


Other News

Country: France
Subject: StopCovid contact tracking application available on Apple Store and Google Play
Publication date: 06/02/2020
Description: Based on Bluetooth, this application allows you to be notified after being in contact with people tested positive for COVID-19. It does not collect any personal or location data. Each user has a unique identifier stored in encrypted form on a central server. The government also makes a communication kit on the application available to public and private entities.


Country: France
Subject: The StopCovid project team launches a bug bounty to detect flaws in the application.
Publication date: 05/26/2020
Description: In partnership with the YesWeHack platform, the StopCovid bug bounty program was initially opened to about 20 European hackers who had several days to test the application. Then, the program was opened to more than 15,000 hackers registered on the platform. YesWeHack will be in charge of reporting the discovered vulnerabilities to the StopCovid project team. The latter will work on their correction. As a reminder, the ANSSI had already conducted several security audits on the application.


Country: International
Subject: 22 countries adopt the API developed by Google and Apple to stem the COVID-19 pandemic
Publication date: 05/27/2020
Description: Most European countries have started to adopt this API, such as Italy and Switzerland, with the respective launch of “Immuni” and “SwissCovid”. These applications were designed to track and notify users who have been in contact with a person who has tested positive for COVID-19. France and the United Kingdom rather preferred to develop their own applications.


Country: Qatar
Subject: Doha-Hamad Airport acquires new technologies to deal with COVID-19
Publication date: 05/19/2020
Description: To ensure the safety of passengers and employees, Doha-Hamad airport, among other things, will equip its staff with thermal screening helmets able to remotely measure body temperature and set up autonomous disinfectant robots to clean busiest areas.


Country: Japan
Subject: Tokyo University Hospital experiments with Augmented Reality (AR) as a solution for learning new medical techniques in the context of the COVID-19 outbreak
Publication date: 06/01/2020
Description: To improve medical safety, Tokyo Women’s Medical University hosts a next-generation treatment room: the Smart Cyber Operation Theater (SCOT). It features a camera capable of recording and transmitting 8K resolution videos has been installed to film operations. The university intends to share these recorded streams at future conferences and in medical education courses.


Back to the previous newsletters of CYBERSECURITY WATCH :