Injecting Deception Mid-Pandemic: Covid-19 Vaccine Related Threats

What does the pandemic spell out for the digital domain and the threats surrounding it?

We witnessed how the Covid-19 outbreak ushered heavier reliance on online systems. While such dependence was present even before, the need to reduce physical contact heightened it. More legitimate services such as those of the government and healthcare (telehealth) went online. There has also been an increase in online-only systems, including digital-only neobanks. Physical stores were also closed as efforts to expand their online counterparts increased.

As online transactions gradually become the default means to avail of services, various threats also went on the prowl.

Increased dependence on online systems could cause users to trust these platforms more readily without verifying their authenticity. Cybercriminals usually impersonate known entities and create convincing replicas of email, website, or apps from legitimate sources. Due to this, users might have a harder time identifying legitimate platforms from malicious ones. This might be especially true for those who are using online systems heavily for the first time, such as many of the elderly.

Another concern is the spread of misinformation. A problem even before the pandemic, misinformation has since been exacerbated as threat actors took advantage of the increased use of online systems by using Covid-19 and related topics, such as vaccines as bait.

Now that vaccines are in the spotlight, with over 319 million doses administered to over 118 countries, we can only expect this topic to be used more as a social engineering lure. Late last year, the INTERPOL issued a global alert regarding organized crime networks that target Covid-19 vaccines. This includes potential online or offline criminal activities for illegally advertising, selling, administering, and stealing the said vaccines. The group has also recently dismantled a fake vaccine distribution network.

This blog post shares some of our findings on malware, spam, phishing schemes, malicious websites, and illicit markets related to Covid-19 vaccines.

The spread of malware through spam

Beginning the first quarter of 2020, we saw a wave of attacks that were associated with the Covid-19 vaccine. These attacks included but are not limited to the following malware: Emotet, Fareit, Agent Tesla, and Remcos. Countries with affected users include the United States, Italy and Germany.

Emotet

Before authorities’ recent takedown of Emotet C&C servers, we detected a spam campaign that spreads the malware and uses supposed information on Covid-19 vaccine as a lure. We observed that this Emotet spam campaign ran from the start of January until the 24th of the same month. Some of the sample file names of the email attachments are listed here:

Daily COVID reporting.doc
DAILY COVID-19 Information.doc
NQ29526013I_COVID-19_SARS-CoV-2.doc
GJ-5679 Medical report Covid-19.doc

Countries affected by Emotet include the United States, Italy, and Canada, while the most affected industries are healthcare, manufacturing, banking, and transportation. We were able to identify more than 80 samples of documents with the detection of Trojan.W97M.EMOTET.SMTH. It also turns out that there were similarities in the document files. The following are some of the email subjects that we saw:

COVID-19 Vaccine Survey
RE: RE: COVID-19 Vaccine Clinic with Walgreens To Do Now
Re: #TuOficinaSegura. Pfizer anuncia Vacuna contra el Covid . Novedades Oficinas YA! 10 de Noviembre de 2020

This Emotet campaign used around a hundred command-and-control (C&C) servers; these are IP addresses that can be traced to 33 countries. A majority of the addresses are from the United States, Canada, and France. Days after this massive spam campaign, certain infections of this trojan stealer cannot contact their C&C servers anymore, an event that can be attributed to law enforcement’s aforementioned crackdown on the malware’s servers.

Fareit

Cybercriminals deployed a spam campaign that spreads Fareit malware through emails that baited targets with the mention of the supposed Covid-19 vaccine. Fareit is capable of stealing personal information such as credentials in applications like browser, email, and FTP client. The email subjects used were the following:

Corona-virus(COVID-19),Common vaccine
Corona-Virus Disease (COVID-19) Pandemic Vaccine Released
Latest vaccine release for Corona-virus(COVID-19)

The common attachment files were the following:

Corona-virus vaccine.arj
COVID-19 VACCINE SAMPLES.arj
COVID-19 Vaccine.arj
vaccine release for Corona-virus(COVID-19)_pdf.rar

The email senders pretended to be from the World Health Organization (WHO) and used doctors' names. The countries most affected were Germany, United States, Italy, China, Spain, and Israel.

Figure 1. A sample of spam email used to spread Fareit

Other malware

Aside from Emotet and Fareit, other malware types were used to propagate Covid-19 vaccine-related threats. This includes trojan stealers, namely Lokibot, Agent Tesla, and Formbook. Remote access trojans (RATs) like Remcos, Nanocore, and Android malware like Anubis were also used.

In October 2020, a ransomware variant was reportedly spread through a fake Covid-19 survey. The phishing mail contained an attachment of a purported survey for students and faculty in a university in Canada. We detected this as Ransom.Win32.VAGGEN.A and Ransom.Win32.GOCRYPT.A. Our telemetry still shows detections of this malware, with over a thousand detections mainly in Portugal, the United States, and Israel.

In November 2020, Zebocry reportedly impersonated a pharmaceutical company Sinopharm, which produces Covid-19 vaccines. Here, the attackers involved used a virtual hard drive (VHD) file that stored two files: a PDF for Sinopharm’s presentation slides and an executable that posed as a Microsoft Word document. We detected this as Backdoor.Win32.ZEBROCY.AD and the domain support-cloud[.]life as its C&C server.

The backdoor Remcos was disguised through a file that reportedly had details about the Covid-19 vaccine. Agent Tesla was disguised in a file discussing a Covid-19 vaccine or cure, either for a sample or test results.

Phishing and scams

Recently, a phishing campaign that used the name of the UK’s National Health Service (NHS) circulated. The email entices a user to confirm that they accept the invitation for vaccination. Whether the “accept” or “disregard” button of the invitation is clicked, the email redirects to a landing page. This page displays a form requesting the user’s full name, birth date, address, and mobile number. We detected this campaign in the United Kingdom, Germany, United States, and the Netherlands.

Figure 2. An NHS phishing mail in the form of a fake appointment for vaccination

Another recent phishing campaign, which circulated in Mexico, used a website that was disguised as that of the medical laboratory “El Chopo,” which looks identical to the legitimate lab. It required details such as name, age, address, gender, mobile number, and email address. After the users register, they will supposedly receive a digital certificate for the National Vaccination Card and will be requested to wait for the cards’ activation. Through the site, users can reportedly schedule an appointment for the vaccine, and after paying MXN 2,700 (approximately USD 130), they will receive a supposed confirmation. The site even provided bogus contacts such as email addresses and Facebook and WhatsApp pages for any inquiries. We detect the phishing sites such as vacunacion.elchopo[.]mx, dinero-vacunacion.elchopo[.]mx, xn--vacunacin-d7a.elchopo[.]mx and infra-medica[.]com which are hosted in IP 64.22.104[.]14.

Figure 3. Phishing page (Image from urlscan.io)

Figure 4. Phishing page courtesy of Google cache

In September 2020, we observed a phishing campaign with the theme of equipment used for secure and safe transportation of vaccines. It was disguised as Unicef’s procurement for Gavi’s Cold Chain Equipment Optimization Platform (CCEOP) with a quotation request as an attachment. The attachment is an HTML file that displays a phishing page. The campaign had 20 domains and used hosting IP addresses located in the Netherlands. Trend Micro blocked the phishing domains, and the HTML files were detected as Trojan.HTML.PHISH.TIAOOHWY.

Figure 5. A sample phishing email for a supposed Covid-19 vaccine project

Figure 6. An HTML attachment that leads to a phishing page

Malicious actors are still circulating several Covid-19 vaccine-related scams. These range from the distribution of vaccination cards, selling of vaccines, appointments for vaccination, and others. DomainTools has reported on illegitimate CDC vaccination record cards that are allegedly exclusive in the US for an individual’s proof of vaccination. Each card costs US$20, or US$60 for a pack of four.

Some scammers also use SMS in their campaigns. One such example is a scammer who pretended to be from a pharmaceutical company. The message used by this scammer states the receiver’s eligibility to get vaccinated, and then provides a contact number for registration. The scammer will likely ask for money once contacted via the number.

The government and law enforcement agencies of different countries continuously advise the community to be wary of such scams. The US government even took down scam sites of entities assuming the names of biotechnology companies purportedly developing treatments for Covid-19.

Malicious domains

Last year, DomainTools started providing a free, curated list of high-risk COVID-19-related domains to support the community during the global health crisis. Using this list of domains (mostly bearing the keyword “covid”) and feedback from the Trend Micro™ Smart Protection Network™, we came up with a list of 75,000 malicious domains. The categories of domains include malware, phishing, scam, and low reputation.

This year, we have seen an uptick in the creation of malicious domains bearing the keyword “vaccine.” Based on the report by DomainTools, starting November of 2020, there was a spike in the creation of domains bearing the word “vaccine.” On the other hand, the number of domains with the word “covid” has subsided since June 2020. We identified around 1,000 malicious domains bearing the keyword “vaccine” during our analysis. In November 2020, 100 domains were registered to mimic pharmaceutical brand names for the Covid-19 vaccine, such as the following:

Gam-COVID-Vac
BioNTech’s BNT162 vaccine (COVID-19 mRNA vaccine)
EPI - VAK - KORONA
PiCoVacc
Sputnik V

Illicit markets

Cybercriminals also created sites using the Covid-19 vaccine as a lure. In 2020, the domain vaccine-coronavirus[.]com was active. Currently inactive as of writing, this site was previously disguised as the website of a medical university. From this site, users could supposedly buy vaccines using bitcoin as a mode of payment. More importantly, there is no guarantee about the vaccine’s authenticity or if the operators behind this scheme would send anything after receiving payment.

Figure 7. Scam site of Covid-19 Vaccine photo (image from urlscan.io)

The hidden service and anonymity afforded by the dark web have made it an ideal place for cybercriminals to sell illegal vaccines. A recent report talks about an underground site where operators claim to have developed a vaccine that is not only ready for purchase but also available for shipping worldwide.

Another darknet site required buyers to send their personal details and even their Covid-19 infection status and known diseases to an email address. These details must also be submitted with payment in the form of bitcoin. We believe this is a scam site.

Meanwhile, another report discusses the sale of alleged vaccines for US$250 on underground forums.

Figure 8. A Covid-19 vaccine scam on a darknet site

Recently, Covid-19 vaccine scams are reportedly spreading through Facebook and Telegram. This is alarming since one of the Telegram channels associated with this already has more than 4,000 subscribers. In particular, this channel supposedly offers vaccines from known brands. According to the article, a researcher tried to bait the scammer and ended up in a scam site disguised as the website of a popular courier. We were able to identify the scam site and noted that the closest domain based on the available description is the domain deltaexpressairline[.]com. A search for more scam sites using Delta Express revealed 31 more domains.

Figure 9. A Covid-19 vaccine scam on a Telegram channel

Solutions

With the ongoing health crisis, it is understandable that people are searching for ways to buy a vaccine. However, the public should be careful as many entities take advantage of this trend. More importantly, it is worth emphasizing that fake vaccines could have health repercussions — if scammers actually deliver anything after receiving payment.

Users can prevent the cybersecurity risks from these scams by not clicking on links or downloading attachments in emails from unknown sources. Users should also regularly patch and update their systems.

These systems can also be secured by a multilayered security approach for protecting endpoints, emails, web, and networks.

Online scams highlight the need to be vigilant with the information circulating online. Here are some tips on spotting misinformation:

Get information from trusted sources. For COVID vaccine information, contact either the local health authorities or health care providers.
Think before you click. Avoid forwarding or sharing messages and posts without verifying them first (for example, by fact-checking them through reputable search engines and news sites). By doing this, you can help contain the spread of scams and wrong information.
Identify fake or malicious emails, websites, and apps. Some telltale signs include misspellings, grammatical errors, and incorrect names and logos of known institutions. However, some scams use convincing replicas of legitimate emails, websites, apps, and other platforms used by the organizations they’re impersonating. If unsure, it’s best to double-check with other sources such as the company’s official social media sites and contact information.
Attend and/or conduct cybersecurity training. Increased awareness and knowledge of online scams and other types of misinformation can help identify these schemes.

Trend Micro Check can also help detect misinformation, scams, and similar online threats. A free multiplatform tool powered by artificial intelligence (AI), Trend Micro Check offers scam link detection, email security review, fact-checking of text, audio, and visuals to identify misinformation, and news outlet credibility verification. Since its launch, it has identified more than 2 million scams and 3 million instances of misinformation. Trend Micro check is available via Facebook Messenger, WhatsApp, and Google Chrome (as an extension).

Phish Insight provides the most effective phishing simulations and cybersecurity awareness training modules on the market. Powered by Trend Micro, the Phish Insight team creates a simulation template library based on billions of real phishing samples as well as a fully automated and staggered delivery system that makes the simulation emails even more convincing. Not only integrating the best and the most prevalent training modules from around the world, Phish Insight also allows users to customize their own training programs. Phish Insight enhances information security awareness for organizations by empowering people to recognize and protect themselves against the latest cyber threats.

Indicators of compromise

SHA256	Trend Micro Pattern Detection	File Name
56d85a979245364288d1814d5c45a8acf653c5da47d2eefe8f60f7b7de194e9c	Mal_GENISO-4 (Agent Tesla)	NEW COVID-19 VACCINE- CURE- UPDATE.Xlxs.iso
69ae4cd1cbb84c2144408975682f1f24229d8d5a1988b12fff18fd0472cffffb	HEUR_VBA.E2	Covid vaccine access - confidential.docm
64f61dd41ec3a411e647f6371b8500666db3c96cc57a8cb0c16d47cceaf12aa9	TrojanSpy.AutoIt.NEGASTEAL.SMB.hp	COVID-19 VACCINE.exe
041320839c8485e8dcbdf8ad7f2363f71a9609ce10a7212c52b6ada033c82bc5	TrojanSpy.Win32.FORMBOOK.L	vaccine_release_for_Corona-virus(COVID-19)_pdf.exe
cbf5be2bd3f2d0d5bc495228c034d303d728c11b6bbf58cdcf313c6bf7321321	TrojanSpy.Win32.NEGASTEAL.THEAEBO	COVID-19 Update Treatment Vaccine.pdf.exe
8a020281d5b475372fcf518c8f4a6b913b3a855c458996a9d7b525062ad736ec	TrojanSpy.Win32.NEGASTEAL.THEAEBO	NEW COVID-19 VACCINE- CURE- UPDATE.Xlxs.exe
56a4523b72aef34982a90a480c17386862d4788c0501b9982d798d43c860cc6c	TrojanSpy.Win32.NEGASTEAL.THEAEBO	Download_Covid.19_New Cases_and_New_Vaccine.doc.exe
eecb7b15a90df049ba18e11ebe23ca8fa83900d11f6154807da5bb07314f255d	Backdoor.MSIL.REMCOS.SM	Covid-19 vaccine Brief summary.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f	Ransom.Win32.VAGGEN.A
a88612acfb81cf09772f6bc9d0dccca8c8d5569ea73148e1e6d1fe0381fe5aec	TrojanSpy.AutoIt.NEGASTEAL.SMB.hp	COVID-19 Vaccine Sample.exe
e17f4fc412f2d30169c6da41687bebbbdb390969a38458143c11474a08afec50	AndroidOS_FakeApp.NGPF	Vaccine-register.apk
b6087bb0059e7e8d33e2d34a48e3f1db439e01fcd8856e7159428e9562df7067	Trojan.Win64.WOREFLINT.A	PAPER-COVID-19-Vaccine-Strategy.pdf
76888b745714b1d0db8cd883eaac756c560b052462cae240c3917c441c07d611	TrojanSpy.Win32.NEGASTEAL.THEAEBO	Download_Covid.19_New Cases_and_New_Vaccine.doc.exe
6d0e370da27f452ed7b21d468d607eb3b938cc798ec563209ce6f67e752963b7	TrojanSpy.Win32.NEGASTEAL.THEAEBO	COVID-19 VACCINE- TEST-RESULT.exe
158af91147262440a1f8356d1f8f9cba48b168b97924bea50440d67c679c6c6d	BKDR_SWRORT.SM	vacuna-covid.exe
b6162314e5f6edda9b033494a8dc5116cf831456815825949d1f59a5651d40f3	BKDR_NOANCOOE.SM	COVID-19 VACCINE.EXE
e6be29fa3a68946d8e2239ad60d37b900ddf58cb2c63245dda916f560c081679	Mal_GENISO-4 (Agent Tesla)	COVID-19 VACCINE- TEST-RESULT.exe
a08c6a65851bfe6b9c33d42c54d64869293f6119f9dd94cc060c8233e647568a	BKDR_NANOCORE.SMD	COVID-19 VACCINE.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe	Ransom.Win32.GOCRYPT.A
bfbada8b0ecc1f711dd4869c7fc97f658b88dc497a415a2e912eff9245fe9c9b	TrojanSpy.Win32.NEGASTEAL.THEAEBO	Download_Covid.19_New Cases_and_New_Vaccine.doc.exe
b9bff597e8376ad448c493f4b7eb3e3c500c60528834b3b4a46a1493e3a56694	AndroidOS_Anubis.GCL	Vacuna_COVID19_Chile.apk
2b4d07dc6df290801e6dec29d4cd0649d52f0c001a171604cf374c84f57c63a2	TROJ_CVE20171182.SM	COVID-19 VACCINE SAMPLES.xlsx
052e19392c73c979c31554983a4aed5589c4ece553083dddfb4fe14ee55c440a	TrojanSpy.Win32.LOKI.SMDF.hp	Corona-virus(COVID-19)vaccine.exe
2cf2568dad46a638b8e4d86aa46f4cd279511dba9900286e22aeaefc39189a88	Backdoor.MSIL.NANOCORE.TIAOODFN	Covid-19 Vaccine.gz
76299e863b71caed1b9950d904d1b52a8174b9077c9d4bc896276881caa46fad	BKDR_NOANCOOE.SM	COVID-19VACCINE_.exe
bbb0f2855d1444cae835700f58acb51b6a6fd2f48046e94850982753cb4a7268	TrojanSpy.Win32.NEGASTEAL.THEAEBO	Download_Covid.19_New Cases_and_New_Vaccine.doc.exe
7e765af2d1bf7c139df8fb2bb5eef1268b3cf356f7192f4f221c42104fad2a89	TrojanSpy.Win32.LOKI.SMDF.hp	Corona-virus_28C_arj.bin
f36a0ee7f4ec23765bb28fbfa734e402042278864e246a54b8c4db6f58275662	Backdoor.Win32.ZEBROCY.AD
fc2cc8b7cf51f41d40121d63c21c9ae1af4f8f6126b582ace5ed4a5c702b31c3	TrojanSpy.Win32.FORMBOOK.L	vaccine release for Corona-virus(COVID-19)_pdf.rar

URLs

ip-160-153-254-152[.]ip.secureserver[.]net/nfz
ip-160-153-254-254[.]ip.secureserver[.]net/nhs
ip-160-153-254-152[.]ip.secureserver[.]net/CVD19
ip-160-153-246-67[.]ip.secureserver[.]net/NHSonline
ip-107-180-73-44[.]ip.secureserver[.]net/WEB/parcel.php
IP 64.22.104[.]14
support-cloud[.]life
hxxp[:]//t[.]me/Darkwebvendor
hxxp[:]//t[.]me/Buy_COVID_19_Vaccines
covidsgaonvjnd6z[.]onion
vaccine-coronavirus[.]com
vacunacion[.]elchopo[.]mx
dinero-vacunacion[.]elchopo[.]mx
xn--vacunacin-d7a[.]elchopo[.]mx
infra-medica[.]com

Emails

darknetmarket1@protonmail[.]com
cvdntdrs@protonmail[.]com
orders@vaccine-coronavirus[.]com

Injecting Deception Mid-Pandemic: Covid-19 Vaccine Related Threats

Authors

Resources

Support

About Trend

Resources

Support

About Trend

The Americas

Middle East & Africa

Europe

Asia & Pacific