Covid-19 related cyber-attacks during May declined by 7% compared to April, while conventional malware attacks increased by 16% compared to March and April, as many businesses resumed operations. Use of malicious CV and medical leave forms to spread banking trojans and infostealers also increased during May, cybersecurity firm Check Point reports.
In May, the security firm detected more than 158,000 coronavirus-related attacks on an average each week, a decrease of 7% since April.
With the re-opening of businesses across the world, attackers have also started non-covid-19 related malicious activities. In May, the firm detected a 16% increase in conventional malware attacks when compared to the period between March and April, when covid centric attacks grew.
Further, researchers at Check Point found malicious files masquerading as CVs. These malicious files were spread through emails carrying attachments with .xls files. The email’s subject lines would say “applying for a job” or “regarding job.” Opening the file would download the payload for ZLoader, a banking malware that steal credentials and other private information from users’ system. Once the system is infected, attackers can steal passwords and cookies stored in web browsers and use it to carry out illegal financial transactions using the victim’s system from their bank accounts without their knowledge.
Some of the emails received by users in UK had the subject “CV from China” and carried an ISO file (CV.iso) that dropped a malicious .exe file (CV.exe). The .exe file was actually hiding an info-stealing malware and opening it installed it on the user’s machine.
These attacks have doubled the US in last two months, with 1 out of every 450 malicious files revolving around CV scams, Check Point states.
In addition to using malicious CVs, attackers have been using medical leave forms to spread Icedid malware, a banking Trojan.
These malicious files were also sent through email with different subject lines like “The following is a new employee request form for leave.” The emails were sent using different sender domains like medical-center.space to sound genuine and trick users into clicking on the file attachments.
One such campaign was carrying the nefarious Trickbot, a banking trojan, which is also used as a payload to download other malwares. Its modular design allows attackers to modify it.
Check Point recently reported increase in domain name registrations revolving around words like employment as many companies started laying off employees across the world. They found 250 such domains which were registered in May alone. Around 7% of these domains were malicious and 9% suspicious.