Hackers taking advantage of the spread of COVID-19
Hackers have been running several attack campaigns across various countries, taking advantage of the spread of the Coronavirus disease (COVID-19) to distribute trojans such as Emotet, AZORult and NanoCore to steal user credentials.
Email security experts Libraesva discovered and intercepted an email masquerading to be from the director of Milan, sent to universities and said to provide preventative steps for further spread of Covid-19. Brunel University London reports that the hackers’ motivation became clear when a malicious link asked for user login credentials. In one instance, an attacker designed an email to stoke curiosity by stating: “If you want to receive further information for a cure, you must click on the link below.”
One sophisticated attack method that researchers reported on contained an MS Word document from the World Health Organization (WHO) with an embedded URL that lead to a fake MS Office website. Also, some attackers prompt users to download an application to keep them updated on the situation. It simply displays a map of how COVID-19 is spreading. When a user is on the page, attackers attempt to generate a malicious binary file and install it on their computer. Currently, this practice is only affecting Windows systems.
Here are some preventative measures:
- Avoid clicking on promotional links and baits in emails;
- Google for general information, instead of clicking links from a suspicious/unknown sender;
- Don’t proceed with any login procedure if unsure about the authenticity of a website.
New PXJ ransomware found by X-Force IRIS
Security researchers at IBM's X-Force Incident Response and Intelligence Services reported a new PXJ malware strain containing ransomware functions. Two samples were uploaded to VirusTotal by a community user. However, its initial infection vector is unknown. PXJ starts by attempting to disable recovered files from deleted stores. It then empties the recycle bin using the “SHEmptyRecycleBinW” function.
In the next step, it runs a series of commands to prevent data backup for data to be encrypted. After encryption, the ransomware drops the ransom note into a file (called “LOOK.txt”), requesting victims to pay the ransom in exchange for the decryption key.
The security researchers stated that the attacker’s email addresses all appeared to be the same across the two samples. However, a new network communication was found in one of the samples.
Microsoft takes down Necurs botnet affecting 9 million devices
Recently, Microsoft announced a takedown of the infamous Necurs botnet. The botnet had affected around 9.1 million computer systems so far. Necurs botnet is one of the largest spam botnets, has been active since at 2012 and is operated by the cybercrime gang tracked as TA505. It was involved in massive campaigns spreading malware such as the Locky ransomware, the Dridex banking Trojan, and the Scarab ransomware.
The lockdown operation reportedly saw the participation of partners from across 35 countries. The botnet was observed sending 3.8 million spam messages to over 40 million targets during a 58-day long investigation. As per Microsoft, “This remediation effort is global in scale and involves collaboration with partners in industry, government and law enforcement via the Microsoft Cyber Threat Intelligence Program (CTIP).”
Two new vulnerabilities tracked as TRS-bypassing Rowhammer and Load Value Injection are affecting chip manufacturers
Security researchers have discovered two new vulnerabilities tracked as TRS-bypassing Rowhammer and Load Value Injection. These new vulnerabilities can be a matter of concern for chip manufacturers.
Target Row Refresh (TRR)-bypassing Rowhammer is a new vulnerability discovered by VUSec Lab. The flaw is tracked as CVE-2020-10255 and bypasses the suggested collective mitigation methods called ‘Target Row Refresh’ (TRR). The tool was tested on 43 DIMMs (Dual In-line Memory Module) and researchers found that 13 DIMMs from the three major DRAM vendors (Samsung, Hynix and Micron) are vulnerable to the new variations of Rowhammer. LVI-LFB (Load Value Injection in the Line Fill Buffers) is a new vulnerability that affects many processors made by Intel. The vulnerability is tracked as CVE-2020-0551 and is described as a reverse meltdown-type attack.
Researchers note that there are some limitations that make it difficult to carry out the attack. However, due to the criticality of the issue, Intel has issued new mitigation guidance and tools for LVI to reduce the overall attack surface.
Edited and compiled by cyber security specialist James Aguilan.
Subscribe to our weekly Cyber Pulse newsletter below.
Click here to find out about QA's extensive cyber security courses
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.

More articles by James
Cyber Pulse: Edition 104
Read the latest edition of Cyber Pulse, our round-up of cyber news.
09 March 2020Cyber Pulse: Edition 103
Read the latest edition of Cyber Pulse, our roundup of cyber news.
02 March 2020Cyber Pulse: Edition 102
Read the latest edition of Cyber Pulse, our roundup of cyber news.
24 February 2020Cyber Pulse: Edition 101
Read the latest edition of Cyber Pulse, our roundup of cyber news.
17 February 20204 things you need to know about cyber security in 2020
Cybersecurity researcher James Aguilan predicts four areas that will shape the future of cybersecurity in the decade ahead.
22 January 2020How does Ransomware-as-a-Service work?
Cyber security Researcher, James Aguilan looks at how ransomware-as-a-service works, and how organisations can protect themse…
07 August 2019Phishing Campaigns: Defending organisations against phishing
QA Cyber Security Trainer, James Aguilan, argues that understanding how to defend against phishing is of paramount importance…
15 February 2018Is Mr Robot a good representation of real-life hacking and hacking culture?
QA Cybersecurity trainer James Aguilan looks at several scenarios featured in the hit US TV series Mr Robot – and how they ma…
19 February 2018Safeguarding your Digital Footprint
QA Cyber Security Trainer, James Aguilan, shares 6 tips that can help you safeguard your digital footprint.
05 March 2018How do organisations demonstrate accountability for GDPR compliance?
QA Cyber Security Trainer, James Aguilan, outlines steps towards demonstrating compliance with the GDPR.
20 March 2018