Introduction
The National Cyber Coordination and Command Centre (NC4) continuously monitor the cyber threat landscape that may affect national security both locally and globally. We have observed an increased number of cyberattacks, targeting multiple organisations worldwide, taking advantage of Coronavirus (COVID-19) public health issue as a lure to attract victims to fall into their traps. With the recent announcement of Movement Control Order (MCO) by the Prime Minister of Malaysia, which requires all non-essential government and business premises to be closed from 18 to 31 March 2020, the NC4, National Cyber Security Agency (NACSA), National Security Council (NSC) would like to remind everyone to be vigilant and to continue to observe the cyber hygiene practices while working from home.
Impact
Loss of information, service disruption, information exposure and financial loss.
Brief Description
Following the COVID-19 outbreak, NACSA has observed several scams and malware activities that have employed the COVID-19 theme to lure victims to give out personal information and install malicious apps. Cyberattack campaigns, including Business Email Compromise, Malware, Ransomware and phone scams, are on the rise and are believed to be organized by APT groups and organised crime groups, leveraging on this situation for their latest campaigns.
Based on a report from Trend Micro, several malicious domains containing the word “corona” as part of the domain name have been identified and NC4 also has identified several malicious email subjects, attachments and malicious URLs that have used the word "COVID-19" and "coronavirus" in their phishing lures. The full list of malicious domains, email subjects and hashes are as in Appendix 1 below. The content of the Appendix 1 will be updated from time to time to reflect new indicator of compromise (IOC).
Recommendation
The NC4 would like to advice organisations and individuals to take the following precautionary steps during this period of MCO:
- to harden the ICT infrastructure that will support the Work-From-Home policy and the spike of online transactions from the public users;
- to verify any information received from emails, text messages and social media posts regarding COVID-19;
- to use Virtual Private Network (VPN) connections to access your internal resources;
- to not open any suspicious links or emails;
- to not visit any untrusted websites;
- to not simply enter personal information, such as email address or password, whenever you are requested to do so;
- to change your password if you think it is stolen;
- to update your mobile phone and computer’s operating system and applications regularly;
- to apply the latest patches for your system and application to protect from being exploited;
- to monitor your network traffic and block attempts to exploit your server and network;
- be careful and verify any calls claiming from legal enforcement agencies, banks or companies that you may have been dealings with;
- to contact law enforcement agency should you suspect that you have been a victim of a scam;
- to block malicious emails with subjects and hashes listed in Appendix 1; and
- to report to NACSA if your server has been breached or defaced.
Reference
- Coronavirus Used in Malicious Campaigns
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains
- Coronavirus Scams: Watch Out For These Efforts To Exploit The Pandemic
https://www.forbes.com/sites/mattperez/2020/03/16/coronavirus-scams-watch-out-for-these-efforts-to-exploit-the-pandemic/#3047e9626103
- Foreign APT groups use coronavirus phishing lures to drop RAT malware
https://www.scmagazine.com/home/security-news/cybercrime/foreign-apt-groups-use-coronavirus-phishing-lures-to-drop-rat-malware/
- Czech hospital hit by cyberattack while in the midst of a COVID-19 outbreak
https://www.zdnet.com/article/czech-hospital-hit-by-cyber-attack-while-in-the-midst-of-a-covid-19-outbreak/
Appendix 1
1) MALICIOUS DOMAINS:
- acccorona[.]com
- alphacoronavirusvaccine[.]com
- anticoronaproducts[.]com
- beatingcorona[.]com
- beatingcoronavirus[.]com
- bestcorona[.]com
- betacoronavirusvaccine[.]com
- buycoronavirusfacemasks[.]com
- byebyecoronavirus[.]com
- cdc-coronavirus[.]com
- combatcorona[.]com
- contra-coronavirus[.]com
- corona-armored[.]com
- corona-crisis[.]com
- corona-emergency[.]com
- corona-explained[.]com
- corona-iran[.]com
- corona-ratgeber[.]com
- coronadatabase[.]com
- coronadeathpool[.]com
- coronadetect[.]com
- coronadetection[.]com
2) MALICIOUS EMAIL SUBJECTS:
- RE: COVID-19 UPDATE
- Covid-19 in the Workplace: The Malaysian Position
- Update: Cruise ship outbreak of COVID-19 (Feb 17 2020)
- India’s world power ambitions without hard power; Modi disappoints Western Liberals & Conservatives Pakistan-Malaysia ties; and Pakistan’s response to Coronavirus
- Coronavirus Updates
- Coronavirus - How to protect against it
- Update on Coronavirus
- March General Meeting (Covid-19)
- Coronavirus advisory information - Alert!! and Health Warning.
- Cloud Solutions for Supporting Your Business in Fighting the Coronavirus
- Urgent Information COVID-19 (Coronavirus) Update for your safety.
- TAKLIMAT JANGKITAN COVID-19 ‚Äã WARGA AWAM KEMENTERIAN PERTAHANAN
- FW: Coronavirus (2019-nCoV)
- Coronavirus (2019-nCoV)
- RE:SHIPMENT VESSEL DELAY LETTER - (Coronavirus Crisis Lock down)
- SAFETY COVID-19 (Coronavirus Virus) AWARENESS - Safety Measures
- 'Coronavirus' Emergency treatment & Safety Measures WHO
- 'Corona Virus' Emergency treatment & Safety Measures WHO
- Quotation list of Face Mask (COVID-19 Preventive Mask)
- FW: Maersk Update on COVID-19 response & Maersk Continuity Alternatives*
- RE: IT COVID-19 Update
- Purchase Order (PO For-COVID-19 Products)
- COVID-19 update
- RE: IT COVID-19 Report
- COVID-19 SOLUTION OF TENDER*
- COVID 19 PENDIMG ORDER*
- IAEA VETERINARY LABORATORY EQUIPMENT DONATION FOR COVID-19 DIAGNOSES*
- Coronavirus Update – Urgent eMessage*
3) MALICIOUS FILE/URL HASHES:
- 273b7f3b24448da30b50ebd61de76be2
- a81bae4c1d10bc011b6caf8c93268e40
- 1435fb770b222c3b4e1bd1b1addf1fa3
- fb3db3f1ea731ea53b2aacd55440d8cc
- f241a4e610db2e5bec54bc9a93bb60b8
- ef9d87523920688b81fea2d0705cef7d
- ebddf3d9b96ee88ec63ef750c2c81b2b
- ea1905b70f1b33b41e65f0bf6336e96c
- e6a2830946667f4d819a9ee12a03c292
- dfa006254bc6ad7c37e0456dfbb0145a
- de04d3027ee98658dcfdbcd7e60e0ffb
- da8b8afc896874fbf6ffb1aa966a61d4
- d986a0542f155609d48a8235d28b579d
- d5ecf471e81fcba8e5e098e06b1ab595
- d365c0591d4675b89db585315ff2b33c
- d314e98d60c542876f5201ab003a8063
- d05fba70c04316356f4d990901c11148
- ccfc1496385d320a8b90c1ccc0e5f554
- c88cec167226e9d0be4c89218710fd93
- c5d549357aef830e6048ce4117ee71e7
- c274b0c673d9f6e5eab50ba8c48340f5
- c04c9adfb986827864fb87adc1dfbab4
- bd1c50848d07f7ad806a02ebe63167d6
- b9c729eaefe1a88049de01fa5479c670
- ad604829e5d4b8b7054dc84d230e31a4
- acd9f964eaafc5472546228e0ea55875
- aca3a26ac98e06d3b288efeaefa64b38
- ab47342bb9beaae590d57ccf42f7a107
- a1e4d49195c619e8b7e12b02b8c5eb13
- 9bdb881ddfc1f443ed076e9f3c85f901
- 98e65d8c85b262b3e29806fe9966140d
- 97618422968b64b8c578d83d02a4bd82
- 96264606f3e15144a885d21fa65e624f
- 94cf6045791964dcabcb04cfa773294d
- 895e574906330814be676dab3c60eaf3
- 859aa54b44a3ce3477ff473facdfdafb
- 78fd215bc0b5172e9440025309965d73
- 78306edb61fd6147271a3005ef5ce5dc
- 6ca36c7c1488a795ed554088391bf614
- 66dab0bed444592f95027e6cb44a5154
- 65b469b74c007eaacd3bba5f90862a19
- 5d8a538f9c5735c7f2731d359e719a67
- 5c5ed3502a9ecca14e0fbdd86cb0ba56
- 56a089a2e6231b8f79fa8563809f722a
- 517a10f5e216bcac7fcff25709b2be2c
- 4e2f8e9206a86576d7ebbbb3ae66a4fb
- 48e2399523c850780ba95e7011365e83
- 3a0a3b5c4a8e7b130d1979454cd22bb3
- 30577f0aefb19790e401b67110d7ee48
- 23008ee5dfa9fa64272e9f0ec233c7ee
- 1f857fdadce1521833d338be656ae578
- 128fc88aa0b8691793496ce15f8e8dc7
- 11becee8e48e7ab93aec7ccaca505eca
- 0d44aed754d0e3f6a56c3b8152743803
- 09185936ac116c87017538a7f0f07449
- 0ba075bd18f8732afb633db673c8d05d
- 504a5d5c5e4223d1e5ab2ccacfad6de0
- f4f00a38aaa768a9dea7253c35537c10
- c8a6b3e93d17bc90fa3b0b144dc1e5a3
- c678d0537968c721c2590cd1caf9020e
- be6bccb4f54974d063a057ff0407ccf6
- b8bcfb06789fb383fc24e080f2042ebb
- af92bdacce99576c7ab8a4015e548277
- ad536450d7d83c45bb25e836666fcd23
- ac2e83c5c22d988452992433879cfc02
- a948a91afaf169a699fe0442780c2257
- 97f4e4eeca8f423d1b86f0058609de56
- 8cfca914bb1752e5624340af20e2a5a5
- 805d15662864657f269a52893f0dddda
- 7a72e458649a903a9f0f0149230b8999
- 708624bec3b569768e72d6cce193d40c
- 7075cd098d5cc2334bbaff5602170b36
- 562a27ed4dbe67edd19f8f07ea8303a2
- 4a9ea766781088b450e26c09c9b1db9e
- 2eebe97bde6c0f31c11507f3a78fc831
- 265667989630740fcb4adbe674bc92f2
- 1e00190384d651c3778855ac4aaf0641
- 10e3f45a7548495fa43258bd366ddf3d
- 4a93424d61db981fc60d0dc6dacda278
- a11a97d6eabca9dba4a64860af4e9b61
- 05bec93985266a58a41a112c2729fcfa
- d35271297fb00127721091ff9346fa4c
- 8fe463d6d544471fea4eb058ca2d21f5
- b49890a4099055f28277b3a7f92f8e07
- bd4e4dfeb9843a4363e0327eb95a84e0
- 4972fac34f773668a523ef51b4898387
- 4199d242cb5592c481aed7744abbc633
- ccf7d617fd1a315a02ba173d69791983
- e4483c7ab0f9beced306226603ecfc08*
- 6e4d55767a84c5abde3d94f26a3e715b*
First Published : 18 March 2020
First Revision : 23 March 2020
Second Revision : 24 March 2020
Third Revision : 26 March 2020
Fourth Revision : 1 April 2020
Fifth Revision : 8 April 2020
Sixth Revision : 15 April 2020