COVID-19: CYBERSECURITY WATCH #17 – August 13, 2020

In light of the current health crisis, the CERT of (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.


Focus on the Netwalker ransomware

Attack: FBI warns of a phishing campaign exploiting COVID-19 to distribute Netwalker ransomware
Method: Phishing campaign
Target: Public and private entities
Publication date: 07/28/2020


The Netwalker ransomware made its first appearance in August 2019. Since then, more robust and sophisticated versions have appeared between late 2019 and early 2020. However, campaigns related to this malware seem to only attack targets in Western Europe or the United States.

Ransomware As A Service (RaaS) is a booming market, especially since the beginning of the COVID-19 pandemic. From March 2020, Netwalker was distributed by phishing campaigns exploiting COVID-19 lures. In the same period, its developers also reviewed their sales and maintenance system in order to ensure a more efficient monitoring.

This malware has been used by several phishing campaigns in June 2020 on U.S. infrastructure and others countries, targeting all types of businesses. The Netwalker developers have nevertheless stated they do not want to attack health organizations.

Modus operandi

A campaign using Netwalker as the main load is broken down into several steps. First of all, the attackers enter the information systems by several means:

  • Critical vulnerabilities exploitation (Telerik UI – CVE-2019-18935, Pulse VPN – CVE-2019-11510);
  • Accounts Intrusion (Remote Desktop bruteforce, purchase, etc.);
  • Spear-phishing.

The most common way is the exploitation of exposed services (see CVE above), or Remote Desktop bruteforce. However, some recent campaigns rely on spear-phishing by sending a malicious VB Script document as an attachment.

As a resource of this VB Script, a file named “1337” or “31337”, encrypted in RC4, is called and decrypted. This file contains the configuration of the malware. In this configuration, it is possible to find the following elements:

  • The public key;
  • The encryption mode;
  • The Tor URL to decrypt the data;
  • The tasks, services, processes to complete;
  • The ransomware notes.

It is possible to extract the malware configuration from memory. In addition, the encryption key is hard-coded in the ransomware.

At runtime, the first load will execute Powershell to do a Reflective DLL injection. This technique bypasses current antivirus software. Then Netwalker will create an entry in the “RunOnce” key of the Windows registry to run at each Windows login, remove the “Shadow Copy” of the server (these copies can restore subsequent data) and finally encrypt and delete files from the infected computer.

Netwalker can also spread in the internal network of the target. For this, this malware uses common methods: PsExec or TeamViewer/AnyDesk. PsExec is a program developed and maintained by Microsoft to do remote server administration. Netwalker uses it to connect to other machines in the computer park and encrypt more and more machines.

As for Teamviewer and AnyDesk, these programs are normally used for remote maintenance. In the case of Netwalker, this allows a remote attacker to perform manual actions on systems.

When a machine is infected, a note appears on the screen with a web portal on a Tor relay belonging to the Netwalker developers. On this portal, it is possible to follow the payment process and download the program to decrypt the files.



Attack: U.S. manufacturer of ventilators used to treat COVID-19 targeted by DoppelPaymer ransomware
Method: Ransomware
Target: Boyce Technologies
Publication date: 08/07/2020
Description: Cybercriminals published on their blog samples of commercial data they stole from the company and threatened to release more if the ransom is not paid. Boyce Technologies has not made any statements regarding the attack and its impact on its activities. DoppelPaymer operators had already targeted medical establishments, such as the pharmaceutical company Amphastar Pharmaceuticals Inc in July 2020.  
Link(s) :



Attack: The Russian Secret Service (GRU) accused of conducting a misinformation campaign on the COVID-19 pandemic
Method: Misinformation
Surface/Application: Website and social media
Publication date: 07/28/2020
Description: Declassified U.S. intelligence documents claim that the GRU is conducting a misinformation campaign in English on the health crisis. Russia would rely on several Internet websites such as OneWorld.Press, linked to the Russian secret service, or InfoRos, the Russian government’s information center. This disinformation campaign mainly relies in particular on conspiracy theories claiming, for example, that the virus would have been created by the United States.


Attack: Phishing campaigns exploiting COVID-19 imitate Bouygues Telecom and SFR to steal customer account identifiers and victims’ personal data
Method: Phishing
Surface/Application: SMS
Publication date: 08/10/2020
Description: In these two campaigns, cybercriminals claim to be offering a refund to SFR and Bouygues customers because of the COVID-19 pandemic to redirect them to a fraudulent website designed to steal their personal data and credentials. Once these data are acquired, they may be resold or exploited to launch new, targeted phishing campaigns or to usurp the victims’ identities.


Attack: New phishing campaign mimics U.S. Small Business Administration (SBA) to steal personal and banking data
Method: Phishing
Surface/Application: E-mails
Publication date: 08/10/2020
Description: The fraudulent e-mails claim that their recipients are eligible for the SBA’s pandemic relief funding in order to redirect them to a website designed to steal their login credentials. A variant of this campaign asks victims to fill out an imitation of an official form attached to the e-mail using their personal and bank details.


Useful ressources

Type of resources: U.S. Department of the Treasury publishes a guide to help financial institutions prevent cybercrime exploiting COVID-19
Target: Financial Institutions
Publication date: 07/30/2020
Description: This guide describes different types of computer frauds observed since the beginning of the pandemic: identity theft, phishing, ransomware, Business E-mail Compromise (BEC), etc. It also provides indicators to identify and prevent them, as well as information on how to report these suspicious activities to the competent authorities.


Type of resources: Rand Corporation releases a study assessing the confidentiality of data processed by digital tracking applications
Target: U.S. Institutions/General public
Publication date: 07/30/2020
Description: This study presents an assessment of the impact of digital tracking applications on personal data and privacy protection. To this end, an evaluation system has been developed to compare 40 digital tracking applications from 20 different countries and assign them a score according to numerous criteria (transparency, anonymity, data retention period, etc.).


Type of resources: Interpol has released a report on the impact of COVID-19 on cybercrime
Target: Public and private entities/General public
Publication date: 08/04/2020
Description: Based on data from Interpol member countries and its private partners, this report presents the main types of threats exploiting COVID-19 (phishing, disinformation, ransomware, DDoS, etc.) and analyses their evolution between January and May 2020 according to geographical areas. In addition, Interpol warns that cybercrime related to COVID-19 is likely to increase due to the economic impacts of the pandemic and the potential commercialization of a vaccine. 


Type of resources: Twelve dashboards to monitor the evolution of the COVID-19 pandemic
Target: General public
Publication date: 08/07/2020
Description: In the form of graphs or interactive maps, these dashboards use various tools to visualize the evolution of the pandemic throughout the world. One example is the interactive world maps from John Hopkins University and the World Health Organization (WHO), which provide information on the evolution of the number of COVID-19 cases in different countries. 


Type of resources: WhatsApp introduces a fact-checking functionality to counter misinformation related to COVID-19
Target: General public
Publication date: 08/03/2020
Description: This new functionality consists of a magnifying glass icon that users can click on to get more information about the messages transferred to them. It is designed to combat misinformation related to COVID-19 propagated by press articles or by messages transferred many times. This feature is currently available in only seven countries (United States, Brazil, Spain, Ireland, Italy, Mexico and the United Kingdom).


Other News

Country: European Union
Subject: The European Commission chooses SAP and Deutsche Telekom to create a platform enabling the interoperability of European digital tracing applications
Publication date: 07/31/2020
Description: The purpose of this platform is to enable the cross-border exchange of notifications of exposure to COVID-19. However, French and Hungarian digital tracking applications may be incompatible with this future gateway because user data are stored on centralized servers, unlike applications based on the Google and Apple API adopted by a majority of European countries.


Country: South Africa
Subject: Launch of a SMS and WhatsApp chatbot to enhance contact tracing of proven COVID-19 cases
Publication date: 07/17/2020
Description: COVIDConnect aims to inform citizens about the evolution of the pandemic, to provide them with test results but also to alert them if they have met a proven case of COVID-19. A user who tests positive will have to identify his contacts via this platform so they receive an alert. As South Africa has not developed a digital tracking application, this new digital solution reinforces a manual contact tracking system. 


Back to the previous newsletter of CYBERSECURITY WATCH !