COVID-19 Threat Update – now includes Blood for Sale

By and on Apr 07, 2020

Although the use of global events as a vehicle to drive digital crime is hardly surprising, the current outbreak of COVID-19 has revealed a multitude of vectors, including one in particular that is somewhat out of the ordinary. In a sea of offers for face masks, a recent posting on a dark web forum reveals the sale of blood from an individual claiming to have recovered from Coronavirus.

What are we doing?

Putting our customers at the core is what McAfee does. Daily updates are provided to products across the McAfee portfolio, with vetted information to secure your valuable assets in company or working from home.

The volume of threats related to COVID-19 has been significant, with lures used in all manner of attacks. Tracking these campaigns reveals the most targeted sector is healthcare, followed by finance, and then education.

Mobile Threats

In March 2020 alone, McAfee Labs identified several malicious Android applications abusing keywords connected to the pandemic. The apps range from ransomware samples to spy-agents that spy on the victim’s device. For example, statically analyzing an app called “Corona Safety Mask,” we observe that the amount of permissions is suspicious:

  • Full Internet access that allows the app to create network sockets
  • Read contact data from the victim’s device
  • Send SMS messages

When the user downloads the app, it can order a facemask from the following site: coronasafetymask.tk. The SMS send permission is abused to send the scam to the victim’s contact list.

Although attribution will clearly be a key concern it is not the primary focus of our research, however there appears to be APT groups incorporating  the COVID-19 theme into their campaigns. For example, spreading documents that talk about the pandemic and are weaponized with malicious macro-code to download malware to the victim’s system.

Underground Marketplaces and scams

We have seen many examples of major events being abused by people whose interest is only financial gain and current global events are no exception. We conducted a short survey on some underground markets and Telegram channels offering protective masks and more. Two examples are shown below:

Onion-site offering masks
Telegram channel with multiple sellers of masks

The use of COVID-19 as a lure does not appear to show any sign of slowing down, indeed there are more campaigns being regularly identified using the global concern for selfish gain. Our focus will be to ensure detection remains up to date, and data points relevant for investigation are shared with authorities.

In the meantime, we will continue to disseminate relevant threat information. To be kept up-to-date as we publish more content,  stay connected to the McAfee Labs Twitter feed.

Finally, while COVID-19 related threats are on the rise, from phishing emails name-dropping the disease to malware named after popular video conferencing services, cybercrime in all aspects continues, and we must remain vigilant to other, traditional threats as well. For example, tips to secure the newly massive mobile workforce can be found here.

Please stay safe.

About the Author

Christiaan Beek

Christiaan Beek, lead scientist & sr. principal engineer is part of Mcafee’s Office of the CTO leading strategic threat intelligence research within Mcafee. He coordinates and leads passionately the research in advanced attacks, plays a key-role in cyberattack take-down operations and participates in the NoMoreRansom project. In previous roles, Beek was Director of Threat Intelligence ...

Read more posts from Christiaan Beek

Raj Samani

Raj Samani is Chief Scientist and McAfee Fellow for cybersecurity firm McAfee. He has assisted multiple law enforcement agencies in cybercrime cases, and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall ...

Read more posts from Raj Samani

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs