Authors: Janos Szurdi, Zhanhao Chen, Oleksii Starov, Adrian McCabe, Ruian Duan
Executive Summary
With the spread of the coronavirus worldwide, interest is high in related topics. Accordingly, Unit
42 researchers found an immense increase in Coronavirus-related Google searches and URLs viewed since the beginning of February. Cybercriminals are looking to profit from such trending topics, disregarding ethical concerns, and in this particular case preying on the misfortunes of billions.
To protect customers of Palo Alto Networks, Unit 42 researchers monitor user interest in trending topics and newly registered domain names related to these topics, as miscreants often leverage them for malicious campaigns. Using Google Trends and our traffic logs, we observed a steep increase in user interest of topics related to Coronavirus, with prominent peaks at the end of January, the end of February, and the middle of March 2020. Accompanying the growth in user interest, we observed a 656% increase in the average daily Coronavirus-related domain name registrations from February to March. In this timeframe, we witness a 569% growth in malicious registrations, including malware and phishing; and a 788% growth in “high-risk” registrations, including scams, unauthorized coin mining, and domains that have evidence of association with malicious URLs within the domain or utilization of bulletproof hosting. As of the end of March, we identified 116,357 Coronavirus-related newly registered domain names. Out
of these, 2,022 are malicious and 40,261 are “high-risk”.
We analyze these domains by clustering them based on their Whois information, DNS records and screenshots (collected by our automated crawlers) to detect registration campaigns. We found that while many domains are registered to be resold for a profit, a significant fraction of them are used for both well-known malicious activities as well as for fraudulent shops selling items in short supply. The traditional malice abusing Coronavirus trends includes domains hosting malware, phishing sites, fraudulent sites, malvertising, cryptomining, and Black Hat Search Engine Optimization (SEO) for improving search rankings of unethical websites. Interestingly, although many webshops that use newly registered domains try to scam users, we detected an especially unethical cluster of domains capitalizing on users’ fear of Coronavirus to further frighten them into buying their products. Moreover, we discovered a group of
Coronavirus-themed domains,
which now serve parked pages with high-risk
JavaScript that may at
anytime start redirecting users to malicious
content.
In this blog, we first showcase the increasing trend of user interests in Coronavirus-related topics on the Internet, with data from both Google Trends and our service traffic logs. Second, we illustrate the significant increase in domain registration activities recently for domain names containing Coronavirus-related keywords. Third, we present a detailed case study on how cybercriminals are abusing and monetizing such user interests on the Internet. Finally, we conclude with a discussion of best practices.
Note that all the malicious websites and malware attacks mentioned in this blog have been covered ahead of time by various security service offerings of Palo Alto Networks, including PAN-DB URL Filtering, DNS Security, WildFire, and Threat Prevention.
Increase in User Interest of Coronavirus-related
Topics
Using Google Trends and our traffic logs, we observed a steep increase in user interest of topics related to Coronavirus. In Figure 1, we can see how interested users are in
Coronavirus-related keywords based on Google Trends.
In particular, we see three prominent peaks at the end of
January, the end of
February, and the middle of March 2020. The first
peak aligns with the virus outbreak in China, the second peak signifies the first US case
of unknown
origin, and the third peak is at the same time as the virus outbreak in the US. One interesting exception in Figure 1 is alcohol, as users have an interest in it all year round, with a peak at Christmas. Intuitively, the year round interest in alcohol is for drinking it, however the peaks aligned with Coronavirus are for medical alcohol.
Matching our observations about user interest from Google Trends, we see in Figure 2 a near ten-fold increase in the number of unique Coronavirus-related URLs visited by our customers comparing early February to late March.
The increased user interest in Coronavirus presents a lucrative opportunity for cybercriminals to profit from this pandemic. A common method for crooks to benefit from trending topics is to register domain names that include related keywords such as “Coronavirus” or “COVID”. These domain names often host legitimate-looking content and are used for a wide variety of malicious activities, including tricking users into downloading malicious files, phishing, scams, malvertisement and cryptocurrency mining.
To combat criminals employing Coronavirus-related domain names, we obtain keywords from trending topics. First, we automatically extract keywords using the Google Trends API. Then we manually select the keywords most relevant to Coronavirus. Finally, using our set of keywords, we closely monitor newly registered Coronavirus-related domain names.
The Rise of Coronavirus Domain Names
Unit 42 has been tracking newly registered domains (NRDs) for more than nine years and has previously published a comprehensive analysis of them. To study the emerging threats abusing COVID-19, we retrieved NRDs containing Coronavirus-related keywords from January 1, 2020 to March 31, 2020. Our system detected 116,357 related NRDs during this period, with roughly
1,300 domains every day. Figure 3 presents the daily trend of new domain name registrations detected during our study period. We found an increase in the number of Coronavirus domains over time, and after March 12, we detected over 3,000 new domains every day. Apart from the general trend of growth, we also observed sudden increases in the number of domains registered. These increases in registrations follow the peaks in user interest seen in Google Trends with a few days of delay.
We used Palo Alto Networks’ threat intelligence, including our DNS Security service and URL Filtering service, to evaluate Coronavirus-related NRDs. We classify NRDs into two categories. First, malicious NRDs include domains used for command and control (C2), malware distribution and phishing. Second, high-risk NRDs contain scam pages, pages with insufficient content, coin miners, and domains associated with known malicious or bulletproof hosting. While in this blog, we separate our categorization into malicious and high-risk, URL Filtering service provides our customers a more fine-grained categorization of domain names as described in this document.
During our analysis, we identified 2,022 malicious and 40,261 high-risk NRDs. The malicious rate is 1.74% and the high-risk rate is 34.60%. Among the malicious domains, 15.84% are involved in phishing attacks trying to steal users’ credentials, and 84.09% are hosting different kinds of malware, including Trojans and info stealers. Different from phishing and malware, we only found a couple of domains used for C2 communication.
Supporting our previous observations, the increase in the average daily number of Coronavirus-related domains from February to March is 656%. We witness a similar trend of malicious and high-risk Coronavirus domains, with 569% and 788% growth, respectively. In Figure 3, we can observe that malicious registrations follow NRD trends, in some cases even exceeding them.
Additionally, we find that even though these domains were recently registered, we have observed totally 2,835,197 DNS queries (caching excluded) for these domains according to the Passive DNS data that we collect. Furthermore, an average malicious NRD is queried 88% more than an average non-malicious NRD, which aligns with attackers’ incentives to utilize their domains before they get blacklisted. Figure 4 shows the daily trends of DNS queries observed
in our
Passive DNS database using a
seven-day moving average. We notice
a steep increase on March 16
in the number of benign and malicious NRDs queried. This increase
correlates to our previous
observation of user interest and domain registrations peaking
a few days before due to the virus
outbreak in the US.
Figure 5. Most abused keywords in NRD
The keyword set we use for our analysis contains terms specific to the Coronavirus pandemic like “Coronavirus” and “COVID-19”. We also leverage more general ones such as “pandemic” and in addition to words directly related to the virus, we also include keywords related to supplies running out, such as “facemask” and “sanitizer”.
In Figure 5, we list the top 15 keywords which matched the most NRDs. In general, the specific terms are more favorable for registrants, and there are several registration campaigns for related supplies. Apart from the detection count, these popular keywords have risk levels above average (>40% high-risk rate), which means they’re more likely to be abused. On the other
hand, their malicious rate is similar to average keywords. A special case is “virusnews” matching
344
NRDs, where 33% of them are
malicious.
How Attackers Are Abusing the Coronavirus
Pandemic
Observing the increase in malicious and high-risk coronavirus NRDs, we analyzed these domains further to understand how cybercriminals utilize them. We start by clustering domain names based on Whois information and DNS records, including registration date, registrar, registrant’s organization, Autonomous System Number (ASN) and name service provider. Additionally, we cluster domain names based on their main webpage’s visual similarity. We employ the k-nearest neighbor algorithm using the last layer of the DenseNet 201 model from the Keras library as features. Building on our clusters, we found several malicious or abusive registration campaigns, which we will discuss alongside with typical scenarios of malicious use cases.
Phishing User Credentials with Coronavirus Domains
The goal of phishing attacks is to trick users into sharing their credentials and personal information with the attackers. Among Coronavirus domains, we observe classic phishing schemes where attackers send an email to our customers with a link to a fake website mimicking a legitimate brand’s or service’s website to fool users into giving away their login credentials.
We detected a cluster of 20 domains registered on the same day following the
corona-masr*.com pattern, where * is a number anywhere from 1 to 101. While there are
101 possible domain name variations in this range, only 20 were registered. In Figure 6, we see an example of a phishing URL
hxxp[:]//corona-masr21[.]com/boa/bankofamerica/login.php targeting Bank of America. The goal of attackers is to persuade users that they need to login on this fake webpage and that the bank owns it. This cluster also includes phishing URLs imitating other services including http[:]//corona-masr21[.]com/apple-online targeting Apple’s login page and
hxxps[:]//corona-masr3[.]com/CAZANOVA%20TRUE%20LOGIN%20SMART%202019/ targeting PayPal’s login pages. Another phishing campaign was targeting Outlook accounts from the corona-virusus[.]com and coronavirus-meds[.]com domains.
In addition, we found
that those domains serving phishing pages also host zipped files with their malicious
source artifacts. Those include HTML and PHP source codes
of phishing “front-ends” (corona-masr4[.]com/test.zip), as well as codes to send
out spam emails and filter out requests from benign web
crawlers (corona-virusus[.]com/OwaOwaowa.zip). This is
a
common
practice by malicious campaigns to host and
distribute packed versions of malicious payloads, which can be downloaded by a dropper on
another compromised website.
Users can check three main indicators, shown in Figure 7, to ensure they are not the victim of a phishing attack. First, they need to make sure that the domain portion of the URL is the expected domain name owned by the service where they try to log in. Second, users need to make sure that there is a lock icon on the top-left side, signifying that they are connected via a valid HTTPS connection, therefore preventing man-in-the-middle (MiTM) attacks. Finally, users can verify if the domain name matches the owner of the certificate.
Coronavirus Domains Hosting Malicious Executables
Many newly-registered COVID-19 domains were identified as being associated with malware activity. One such domain, covid-19-gov[.]com, warrants special attention, as it is consistent with similar RedLine Stealer activity previously reported by Proofpoint.
Although the initial infection vector utilized to direct potential victims to the above site remains unclear, Unit 42 researchers identified a RedLine Stealer sample being hosted at the URL covid-19-gov[.]com within a ZIP file. When the contents of the ZIP file were extracted, the RedLine Stealer binary was revealed to have the filename Covid-Locator.exe.