While the world is starting to see the light at the end of the tunnel when it comes to the coronavirus pandemic, the cybercriminal underground is finding ways to continue its schemes as civil society is trying to repair the wreckage COVID-19 has caused.

Intel 471 has observed actors in the underground tailoring their criminal plots to two of the world’s biggest remedies in the fight against the virus: vaccines and financial aid from governments. These examples show that criminals are advertising updates to existing offers or other ways to leverage the pandemic in general.

Criminal Cheap Shot

In January, Intel 471 observed an actor offering to sell structured query language injection (SQLi) vulnerabilities that would allow an attacker to gain access to data via subdomains belonging to four biotechnology companies, including a company that has developed a COVID-19 vaccine currently in use. Also in January 2021, an actor advertised data allegedly related to the COVID-19 vaccine developed by another multinational pharmaceutical corporation.

Additionally, Intel 471’s Malware Intelligence Team observed “reply-chain” spam utilized by Emotet in late January that leveraged victims’ real discussions about the vaccine. Emotet contained an email-stealer module that grabbed infected users’ Microsoft Outlook email, which then could be used to send spam as a “reply” and copy the legitimate email content to all recipients in the email chain or thread. However, this was not a dedicated campaign using the vaccine as a lure, but rather one that exploited real people talking about the vaccine.

Despite our observations of the above instances, there was limited exposure of attack schemes specifically related to vaccines. But that doesn’t mean the underground isn’t following developments in the hopes of developing a new scheme. We have seen information posted on various forums about how hackers were targeting the COVID-19 vaccine supply chain (cited an IBM Security Intelligence article, an alert by the Financial Crimes Enforcement Network of the U.S. Treasury for financial institutions about COVID-19 vaccine-related scams and cyberattacks and articles that reported “dark web vendors are selling shady coronavirus ‘vaccines.’

Stealing Free Money

While vaccines might provide a new opportunity for cybercriminals to leverage fear during the pandemic, several threat actors continued to opt for a more generalized approach to exploit COVID-19 information for illicit purposes. In January, an actor Intel 471 is monitoring sought full information (fullz) on U.S. residents in New York to carry out “Covid-19 fraud,” specifically seeking to use the data to apply for “relief payments.” Another actor offered fullz that could be abused for unemployment payments such as the Pandemic Unemployment Assistance (PUA) program.

This is on top other actors we watched in late 2020, advertising a virtual private server “VPS Bulletproof with Covid Stealer or CoronaVirus Botnet” and a database with allegedly 2 million records, claiming “they will be perfect in view of the COVID-19 payouts” in the United States.

We believe that it’s likely that threat actors will continue to leverage multiple aspects of the pandemic to maximize potential impact and profit as COVID-19 remains a relevant lure. While the world is attempting to recover from all aspects of the virus such as disruptions to financial, social, health care and business operations, organizations and individuals must be proactive in order to ward off malicious attempts from underground threat actors seeking to take advantage of COVID-19 fears.