Fake ‘Corona Antivirus’ App Won’t Protect You Against COVID-19

Researchers recently spotted a scam in which digital attackers claimed that users could protect themselves against COVID-19 by installing anti-virus software.

This Scam Provides a Protection Rate of 0%

Malwarebytes observed this latest scam, centered around a website with the domain name “antivirus-covid19[.]site.”, advertised “Corona Antivirus -World’s best protection” as a means of defending against COVID-19.

The website promised to protect users against the coronavirus. As quoted by Malwarebytes in its research:

"Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running."

It goes without saying that this “Corona Antivirus” program did not deliver on what its website promised. Instead, the application enslaved the user’s machine and primed it to receive commands from the domain instaboom-hello[.]site, a control panel for BlackNet botnet.

Via this control panel, digital attackers could use the malware to perform all kinds of malicious activity on an infected device including to take screenshots, launch keylogger functionality, execute scripts as well as steal Firefox cookies, saved passwords and Bitcoin wallet credentials. They could also leverage the device to conduct distributed denial-of-service (DDoS) against targets of their choosing.

Other Coronavirus-Themed Scams that Recently Made Headlines

The campaign described above is just the latest scam to capitalize on the attention surrounding the global coronavirus pandemic. Email attackers in particular have kept themselves busy trying to prey off of people’s fears. According to SecurityBrief Asia, a new report found that 9,116 spear phishing emails detected in March used COVID-19 as their theme. That’s an increase of 667% over February’s 1,188 coronavirus-themed emails. January saw even fewer email attacks exploiting the disease at just 137. Overall, the majority (54%) of those campaigns were scams, followed by brand impersonation attacks (34%), blackmail attempts (11%) and business email compromise campaigns (1%).

Acknowledging the findings discussed above, it’s important to stay aware of the types of coronavirus-themed attacks that you might see in the wild. We already shared some that you might encounter. Let’s look at a few attack campaigns that have made headlines since then.

Fake Offers of Free Netflix Passes

In mid-March, Bitdefender disclosed that some users had received Netflix-themed spam messages via WhatsApp and social media. These notices informed them that the video-streaming platform had decided to give away free subscriptions due to the ongoing coronavirus outbreak. They then instructed users to click on the link https://netflix-usa[.]net/?free-isolation-period.

Given that Netflix’s actual domain is netflix.com, it’s no wonder the domain cited above sent recipients somewhere phishy. Sure enough, the site used Netflix branding to convince users that they had landed on the streaming platform’s legitimate website. The scam prompted them to answer a few questions about how they were handling the COVID-19 outbreak. At that point, the ruse informed them that they had won and that they would need to forward the “free pass” notification to 10 of their friends before they could claim their prize.

Only there wasn’t any reward, unless you count handing over your personal information to scammers and roping 10 of your friends into the ploy.

Threats Against People Who Allegedly Break Quarantine

B-Town Blog reported on a vishing campaign targeting the residents of Burien, a suburban city located in King County, Washington. For this ruse, fraudsters contacted Burien’s citizens and informed them that the police had a warrant for their arrest because they had allegedly violated a quarantine order stemming from a confirmed COVID-19 case. Those responsible for this scam then told their victims that they had a way to avoid being arrested. All they had to do was to pay their fines over the phone, the malicious actors informed them.

Of course, there were no outstanding fines or arrest warrants. Nefarious individuals simply used both of these threats to steal their victims’ banking information. They could have monetized those details on an underground marketplace. Alternatively, they could have kept them and then abused them to commit credit card fraud.

Tesla Infostealer Delivered by Spoofed WHO Advice

On March 19, researchers at IBM X-Force detected an attack campaign that sent multiple waves of emails that at first glance appeared to originate from the World Health Organization (WHO). Some of the emails even seemed to originate from Dr Tedros Adhanom Ghebreyesus, Director-General of WHO. In any event, the attack emails instructed recipients to open an attachment, claiming that they could use the document to learn more about drugs designed to help them prevent or treat a confirmed coronavirus case.

But the attachment did nothing to strengthen recipients’ health against COVID-19. Instead, the attached archive downloaded “Coronavirus Disease (Covid-19) CURE.exe,” which turned out to be a loader for Agent Tesla. This infostealer, in turn, gave its handlers the ability to capture keystrokes, take screenshots and steal login credentials from their victims.

Pirated COVID-19 WordPress Plugins

Security researchers shared some WordPress plugins with Bleeping Computer that VirusTotal had flagged as samples of ‘Trojan.WordPress.Backdoor.A.’ The plugins consisted of zip archives that purported to contain legitimate coronavirus-themed plugins such as “COVID-19 Coronavirus - Live Map WordPress Plugin.” However, a closer look revealed that the plugins all contained a file called “lass.plugin-modules.php.” This resource harbored artifacts that are common hallmarks of WordPress WP-VCD malware.

Previously reported by Bleeping Computer, the WordPress WP-VCD malware family has a history of distributing pirated plugins containing backdoors to unsuspecting website owners. Those plugins, in turn, inject backdoors like ‘Trojan.WordPress.Backdoor.A’ into WordPress blogs and associated PHP files. The malware then attempts to expand its reach by spreading to other websites on the same host—all for the purpose of displaying pop-up advertisements and fraudulently generating revenue for the attackers.

How to Defend Yourself Against COVID-19 Scammers

The scams discussed above highlight the need for organizations to defend themselves and their employees against coronavirus-themed scams. One of the ways they can do this is by investing in an advanced threat protection solution. This tool should be capable of analyzing incoming messages for patterns, IP addresses, URLs, malware signatures and other factors that suggest a link with a known attack campaign. The solution should be able to conduct this analysis in real time so as to prevent digital threats from arriving in employees’ inboxes and to not deter legitimate correspondence from reaching their intended destinations.

To learn how Zix’s advanced threat protection solution can help defend against COVID-19 scammers, please click here.

You also need to make sure that you’re supporting your workforce in a time when digital fraudsters are increasingly targeting your remote teams. Zix realizes this fact, which is why it’s working to provide customers with encrypted email, productivity suites and other crucial services. Learn more about how remote teams can benefit from using Zix here.