Infostealers were the most common type of malware in attachments sent in a Covid-themed email in the first half of the year.
According to Finnish cybersecurity company F-Secure, 33% of malware sent between January and June were infostealers, which are designed to steal sensitive and confidential information, such as passwords.
This can be done by logging keystrokes, making screenshots and observing network activity. Sometimes this can be combined with ransomware so that the criminal can keep a copy of the data even after the victim has paid for it to be decrypted.
F-Secure said that 38% of the infostealer coronavirus attachments it tracked contained LokiBot, a password and information-stealing malware that first emerged in 2015.
Another 37% of infostealers were Formbook malware, which has been advertised for sale on hacking forums since 2016 and logs internet activity.
These were delivered via Covid-themed emails with subject headings such as “Government Response to Coronavirus Covid-19”.
Infostealers: Capitalising on Covid fears
Cybercriminals are known to capitalise on the latest trends and the use of coronavirus-themed attacks has been well documented.
According to F-Secure’s ‘Attack Landscape H1 2020 report’, malicious emails often used localised news hooks to lure victims. In January, for example, F-Secure observed an Emotet campaign in Japan that promptly followed the country’s first confirmed case. The email purported to be from a Japanese health authority giving coronavirus information.
Emails were not just aimed at spreading malware. Those without attachments tended to be scams, selling dubious products such as fake vaccines. These scams reached their peak between March and April, and were on a downward trajectory until June, the end period of the report.
Email remained the frontrunner for distributing malware, accounting for 51% of attack methods. Manual installs and second-stage payloads were the second most common distribution method, at 35%.
Covid-19 is not the only theme employed by criminal hackers. In June, F-Secure observed a “short stint” of malicious emails taking advantage of interest in the Black Lives Matter movement. The emails sought to infect victims with Trickbot malware, a trojan designed to access online bank accounts.
Coronavirus-related phishing emails were rife during the first half of the year, with finance the most targeted sector during the period and Facebook the most impersonated company.
“Cybercriminals don’t have many operational constraints, so they can quickly respond to breaking events and incorporate them into their campaigns,” said Calvin Gan, a manager with F-Secure’s Tactical Defense Unit. “The earliest days of the Covid-19 outbreak left a lot of people confused or worried, and attackers predictably tried to prey on their anxieties.
“Spotting malicious emails isn’t typically a priority for busy employees, which is why attackers frequently attempt to trick them into compromising organisations.”