Covid-19 Themed Malware Within Cloud Environments

Palo Alto Networks’ Unit 42 researchers found that public cloud infrastructure has communicated with domains known to distribute COVID-19 themed malware. On March 24, 2020, Unit 42 published a blog discussing attack patterns used by malicious actors in relation to the novel Coronavirus (COVID-19). Taking these findings a step further, researchers attempted to uncover if there are malicious COVID-19 related events taking place within public cloud infrastructure. If indications of this activity were found, how could organizations protect themselves?

Researchers identified 300+ COVID-19 themed malware samples that communicated with 20 unique IP addresses and domain indicators of compromise (IOCs). After querying Prisma Cloud for network connections to these 20 suspicious IOCs between March 1 and April 7, 2020, researchers found a total of 453,074 unique network connections across 27 unique cloud environments.

  • 450,000+ cloud-based network connections with COVID-19 themed malware IoCs
  • Across 27 unique and potentially compromised cloud environments
  • Clear indications of communication with nodes known to perform command and control (C2) operations related to COVID-19 themed malware

It is not clear if each of the 27 identified organizations were in fact compromised with COVID-19 themed malware, as researchers were not able to view the network traffic nor did they receive the malware samples themselves which initiated the witnessed connections. Nonetheless, these network connections should be considered highly suspicious due to the fact that the destination endpoints have a documented history of malware operations.

Read Nathaniel Quist’s full article here including details on the research, conclusions and – most importantly –  mitigation recommendations.