Joerg Habermeier - stock.adobe.c

First coronavirus cyber threats seen in the wild

Kaspersky has reported the first incidences of cyber security threats playing on fears of the emerging coronavirus

Malicious files disguised as documents relating to the novel or Wuhan coronavirus have been spotted in the wild by Kaspersky’s threat detection technology, exploiting people’s fears of infection to spread malware and other cyber threats.

Coronaviruses are a family of respiratory infections that includes both mild illnesses such as the common cold and more serious ones such as Sars and Mers. The variant in question emerged in Hubei province in central China in December 2019.

It has now spread to every other province of mainland China and several other countries, including Australia, France, Japan, South Korea, Taiwan, Thailand and the US.

At the time of writing, there were 7,783 confirmed cases –7,678 in China – and the death toll stood at 170, although the nature of coronaviruses and the difficulty of reporting cases accurately in some areas means the true number is probably higher.

“The coronavirus, which is being widely discussed as a major news story, has already been used as bait by cyber criminals,” said Anton Ivanov, a malware analyst at Kaspersky.

“So far, we have seen only 10 unique files, but as this sort of activity often happens with popular media topics then we expect that this tendency may grow. As people continue to be worried for their health, we may see more malware hidden inside fake documents about the coronavirus being spread.”

The malicious files discovered by Kaspersky’s researchers were disguised as pdf, mp4 and docx files about the coronavirus. In each case the filenames implied that they contained useful information on how to protect yourself from the coronavirus, information on how to detect it, and news updates.

In reality, the files contained various threats including Trojans and worms capable of destroying, blocking, modifying or copying and exfiltrating personal data, as well as interfering with the victims’ computing equipment or networks.

Kaspersky said its products detected coronavirus-related files with the following detection names: Worm.VBS.Dinihou.r, Worm.Python.Agent.c, UDS:DangerousObject.Multi.Generic,, Trojan.WinLNK.Agent.ew, HEUR:Trojan.WinLNK.Agent.gen, and HEUR:Trojan.PDF.Badur.b.

High-profile events, news stories and offline threats are almost inevitably exploited by cyber criminals to spread malicious files or run scams on victims and often play on justified concerns. Already in 2020, criminal gangs have exploited the Travelex ransomware attack to conduct telephone scams, for example.

As always, users can take a number of simple steps to avoid falling victim to malicious files masquerading as legitimate content. Users should avoid clicking on unsolicited, suspicious links sent to them that claim to be exclusive content, rather than going direct to official sources for accurate and trustworthy information on the coronavirus. It is also worth looking closely at the three letter file extension – legitimate documents and video files will rarely if ever be in .exe or .lnk formats.

Elsewhere in the industry, the coronavirus outbreak has also begun to affect the IT supply chain. In its most recent quarterly results announcement this week, Apple said it was working on contingency and mitigation plans to protect production facilities in China.

Read more about cyber crime

  • Sodinokibi hacking group steps up pressure on German automotive manufacturer by publishing information, including the CEO’s computer password, on the internet.
  • The high-volume Emotet campaign is back in action after the Christmas holidays, and is just as dangerous as ever.
  • The Police Service of Northern Ireland and the Dutch cyber crime unit have made two arrests in an operation targeting a website that provided criminals with access to billions of personal credentials.

Read more on Hackers and cybercrime prevention

Data Center
Data Management