Article

Threat Advisory: Threat groups exploit COVID-19 themes to deliver malware

COVID-19 (Coronavirus) social engineering themes may prove effective regardless of industry sector - particularly when coupled with the convening phishing lures exploiting public panic around this global pandemic.

Summary Analysis

Since the COVID-19 severe outbreak in late 2019, Deloitte CTI observed and reported on extensive cyber activity linked to both cybercriminals capitalizing on public panic to deliver a wide range of malware variants.
Deloitte assesses with high confidence that the use of weaponized documents to distribute malware reflects a simplistic but nonetheless effective approach for threat actors of all types. This is especially true during significant global events with considerable economic and health impacts. When this tactic is tied to a convincing social engineering theme relevant to the recipient, the likelihood that a user will open carried malicious attachments grows significantly.
Supported by the lures displayed further, Deloitte assesses with high confidence COVID-19 themed lures will continue to be updated regularly by threat actors of all types as new information becomes available from legitimate health sources.
A characteristic of the campaigns detailed herein is their reliance on a combination of document weaponization techniques to entice users to execute malware with data collection capabilities.

Recommendations

Deloitte recommends the following:

Avoiding clicking on attachments or links embedded in email messages with subject lines purporting to contain information related to COVID-19 or Coronavirus.
Spam messages may also look legitimate or purport to be from official sources and may use subject line themes associated with COVID-19 or Coronavirus.
Educating users on current threats, the dangers of opening attachments or clicking links from untrusted sources, and the basic actions needed to prevent infection.
Recipients of suspicious emails are encouraged to verify the ostensible sender via alternate communication methods, via secure channels and not use the contact information provided in a message.
Enable and configure Windows Audit Policy and Logging and set the registry to enable process command-line logging.
Disallow auto-saving to user Downloads folder and executing an application or opening a data file from that location.
Using Group Policy to block users from enabling macros in any Microsoft Office applications.
Deploy Intrusion Detection security controls on the network to detect malicious activity during post-exploitation.
Using firewalls and intrusion detection/prevention systems (IDS/IPS) to detect and block network communications with malware Command and Control (C2) nodes.
Consider alerting based on COVID-19 related domains on commonly abused hosts and unusual TLDs (e.g. .tk, .pw etc.)
Sufficient logging of host and user activity that can be leveraged and analyzed for suspicious threat actor activity or attempts to compromise hosts and/or user accounts.

Threat Advisory: Cybercriminal activity exploiting COVID-19 themes

Audit & Assurance

Consulting

Financial Advisory

Risk Advisory

Tax and Business Advisory

Deloitte Private

Cross-border Business

Hot Topics

Innovation & Digital Services

Consumer

Energy, Resources & Industrials

Financial Services

Government & Public Services

Life Sciences & Health Care

Technology, Media & Telecommunications

Careers Home

Experienced Hires

Students

Life at Deloitte

Climate and Sustainability

Digital Transformation

The Greater Bay Area or "GBA"

Mergers and Acquisitions

Belt & Road

SOE

Operate

Private

CFO Program

Hot Topics Overview

Threat Advisory: Threat groups exploit COVID-19 themes to deliver malware

Summary Analysis

Recommendations

Deloitte recommends the following:

Related article:

Recommendations

COVID-19 executive cyber briefing

Crisis management planning lessons from the COVID-2019 outbreak