Special thanks to Prajwala Rao, Oliver Devane, Shannon Cole, Ankit Goel and members of Malware Research for their contribution and monitoring of related threats
As COVID-19 continues to spread across the world, it is no surprise that malware authors are exploiting the pandemic. McAfee recently released blogs around Covid-19 related threats – Staying safe while working remotely, COVID-19 Threat Update Now Includes Blood for Sale and Transitioning to a Mass Remote Workforce. The first discusses how attackers would like to leverage this pandemic as an opportunity to attack organizations, the second gives a preview of attackers playing on the fears of the general public grappling to get a hold of a cure, help manage this illness and stay safe while the third gives some direction to organizations on how to verify their security controls. In this blog we continue to discuss COVID-19 themed attacks and how to stay vigilant.
The weeks of quarantine have forced individuals and organizations to quickly adapt to a work from home model. A lot more time is spent indoors and online and there continues to be anxiety around when normalcy will be restored. For now, we continue to deal with a barrage of news articles around the pandemic, managing supply and demand of household goods in stores and online, and a shortage of medical supplies such as preventative masks, gloves and sanitizer. These are trying times for us and a feast for fear mongering malware criminals.
Over the last few months of 2020, McAfee researchers have been hard at work during this time to keep our customers safe by more directed monitoring and adaptation of our detection stack to better manage the COVID-19 threat landscape. This is not intended to be an exhaustive report due to the scope of a continually evolving landscape for COVID-19; therefore, we cover a subset of threats directed towards malware, spam and malicious/scam URL campaigns.
This blog serves to remind customers to utilize the various levers present in our endpoint product and our expanded portfolio such as McAfee’s Unified Cloud Edge. Please read our recommendation section and view our IOC section (partial IOC list based on this article), expert rules section (covers few tactics based on this article). McAfee utilizes several internal and external sourcing techniques for malware harvesting including collaboration with other industry partners as part of the Cyber Threat Alliance.
Table of contents:
- Timeline
- Malware
- Ursnif
- Fareit
- COVID-19 Ransomware
- Emotet
- Azorult
- NetWalker
- Nanocore RAT
- Hancitor
- Heat Map
- Spam
- URL
- IOCs
- Recommendation
- Software Updates
- Spotting Spam/Phishing emails
- Global Threat Intelligence (GTI)
- Endpoint Security (ENS) Product
- Unified Cloud Edge
- Conclusion
Timeline
The timeline below shows a subset of prevalent malware families observed in our spam traps with references to COVID-19/Coronavirus. The malware shown in this timeline have been chosen due to their capacity for damage (such as ransomware) or their ability to propagate (Emotet for spam, or other worm like activities).
A weekly distribution of all known COVID related IOCs per week is shown below.
Malware
This section covers a subset of the Malware families included in the timeline above and shows the various IOCs that referenced the virus. For a more comprehensive list of IOCs please refer to the IOC section.
Ursnif
The first threat we observed taking advantage of the pandemic was Ursnif. Ursnif is a banking Trojan aimed to steal banking credentials and has been evolving to become more powerful. Ursnif collects system activities of the victims, record keystrokes, as well as keep track of network traffic and browser activity.
We have observed Ursnif using the COVID-19 filename to entice users since January 2020.
On executing the VBS file it drops a dll in C:\Programdata\FxrPLxT.dll and executes the .dll with rundll32.exe. The dll is injected into iexplorer.exe and communicates with its C&C server using http get requests.
IOCs
| Type | IOC | Comment |
| Sha256 | e82d49c11057f5c222a440f05daf9a53e860455dc01b141e072de525c2c74fb3 | Filename: Coronavirus_disease_COVID-19__194778526200471.vbs |
| Sha256 | 8bcdf1fbc8cee1058ccb5510df49b268dbfce541cfc4c83e135b41e7dd150e8d | Ursnif dll |
MITRE ATT&CK
MATRIX:
| Technique ID | Tactic | Technique details |
| T1059 | Execution | Command-Line Interface |
| T1129 | Execution | Execution through Module Load |
| T1085 | Defense Evasion, Execution | Rundll32 |
| T1060 | Persistence | Registry Run Keys / Startup Folder |
| T1055 | Defense Evasion, Privilege Escalation | Process Injection |
Fareit
Fareit is an information stealer that steals data from web browsers, FTP programs, email clients and over a hundred different software tools installed on the infected machine. We have observed several Fareit phishing emails with the COVID/Coronavirus name. A few of them are shown below.
Fareit Spam 1:
IOCs
| Type | IOC | Comment |
| Sha256 | da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7 | Dropped Binary |
| Sha256 | 9f4bb022b49bd6ba0766e9408139648d2ddfe2f0dd5ca14644e5bdb2982b5e40 |
MITRE ATT&CK MATRIX:
| Technique ID | Technique | Technique details |
| T1193 | Initial Access | Spear phishing Attachment |
| T1106 | Execution | Execution through API |
| T1130 | Defense Evasion | Install Root Certificate |
| T1081 | Credential Access | Credentials in Files |
| T101 | Discovery | Query Registry |
Fareit Spam 2:
IOCs
| Type | IOC | Comment |
| Sha256 | 2faf0ef9901b80a05ed77fc20b55e89dc0e1a23ae86dc19966881a00704e5846 | Attachment |
| Sha256 | 38a511b9224705bfea131c1f77b3bb233478e2a1d9bd3bf99a7933dbe11dbe3c |
MITRE ATT&CK MATRIX:
| Technique ID | Technique | Technique details |
| T1193 | Initial Access | Spear phishing Attachment |
| T1106 | Execution | Execution through API |
| T1130 | Defense Evasion | Install Root Certificate |
| T1081 | Credential Access | Credentials in Files |
| T1012 | Discovery | Query Registry |
| T1071 | C & C | Standard Application Layer Protocol |
Fareit Spam 3:
IOCs
| Type | IOC | Comment |
| Sha256 | 11a834cda4a55c8adb663fbcdd4b1f1018715dd737d3089a731b9840b77e5e76 | Dropped Binary |
| Sha256 | 45c6440bdd7b49023bb42f9661caae3b12b579dfd5ae9e64421923ef452a0faf | |
| Sha256 | 095bfab52666648ff4d2636a3718a28eab4d99a6c178a8c7912197221dd1d195 |
MITRE ATT&CK MATRIX:
| Technique ID | Technique | Technique details |
| T1193 | Initial Access | Spear phishing Attachment |
| T1106, T1204 | Execution | Execution through API, User Execution |
| T1060 | Persistence | Registry Run Keys / Startup Folder |
| T1130 | Defense Evasion | Install Root Certificate |
| T1081 | Credential Access | Credentials in Files |
| T1012 | Discovery | Query Registry |
| T1114 | Collection | Email Collection |
Fareit Spam 4:
IOCs
| Type | IOC | Comment |
| Sha256 | f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e | Dropped Binary |
| Sha256 | 9e17f5e70c30ead347b68841fa137015d713269add98f0257fb30cc6afdea4fe | Attachment |
| Sha256 | ada05f3f0a00dd2acac91e24eb46a1e719fb08838145d9ae7209b5b7bba52c67 |
MITRE ATT&CK MATRIX:
| Technique ID | Technique | Technique details |
| T1193 | Initial Access | Spear phishing Attachment |
| T1204 | Execution | User Execution |
| T1071 | Command and Control | Standard Application layer Protocol |
COVID-19 Ransomware
It was no surprise that a new Ransomware family appeared on the scene. Once executed, Ransomware-GVZ will delete shadow copies with vssadmin and then proceed to encrypt all non-pe file types. Once a whole folder has been encrypted the ransom note file below is created.
Ransomware-GVZ will also create a lock screen component so that when the machine is rebooted the following message is displayed.
IOCs
| Type | IOC | Type |
| Sha256 | 3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3 | Binary |
MITRE ATT&CK MATRIX:
| Technique ID | Tactic | Technique details |
| T1486 | Impact | Data Encrypted for Impact |
| T1083 | Discovery | File and Directory Discovery |
| T1490 | Impact | Inhibit System Recovery |
Emotet
Emotet is another prevalent threat distributed via phishing emails. We observed the following email being distributed which translated to English is:
Subject:
Break !!! COVID-19 solution announced by WHO at the end How a total control method is discovered
Email Body:
As published in the newsletter of the World Health Organization 3/17/2020 7:40:21 a.m. A new collaborative study identified and studied antibodies to the COVID-19 virus which could be used to design effective universal therapies against many different species of COVID-19 viruses. The results have recently been published in Nature Microbiology.
These are based on natural activities and how heat helped inhibit the virus from growing.
The COVID-19 virus causes a serious disease with high mortality badgers in humans. Several strategies have been developed to treat COVID-19 virus infection, including ZMapp, which has proven effective in non-human primates and has been used below compassionate treatment protocols in humans …
Please download the full text in the attached document …
Also share with all contacts to ensure quick epidermal control.
The email contains a zipped Emotet executable which once executed will use the process hollowing technique to inject into regasm.exe. It will then contact its C&C server and being to send spam email out.
IOCs
| Type | IOC | Comment |
| Sha256 | ca70837758e2d70a91fae20396dfd80f93597d4e606758a02642ac784324eee6 | Attachment |
| Sha256 | 702feb680c17b00111c037191f51b9dad1b55db006d9337e883ca48a839e8775 |
MITRE ATT&CK MATRIX:
| Technique ID | Tactic | Technique details |
| T1121 | Defense Evasion, Execution | Regsvcs/Regasm |
| T1093 | Defense Evasion | Process Hollowing |
Azorult
Azorult is a malware that steals data from victim’s machine which includes username, passwords, cryptocurrencies, browsing history and cookies. It also can download additional malware onto the victim’s machine. What sets Azorult apart from the other Malware described in this report, is that the creators of Azorult created a fake Coronavirus infection map website (corona-virus-map[.]com). The fake website appears as below:
IOCs
| Type | IOC | Comment |
| Sha256 | c40a712cf1eec59efac42daada5d79c7c3a1e8ed5fbb9315bfb26b58c79bb7a2 | Jar file from domain |
| URL | H**p://corona-virus-map.net/map.jar | |
| Sha256 | 63fcf6b19ac3a6a232075f65b4b58d69cfd4e7f396f573d4da46aaf210f82564 | Dropped Binary |
MITRE ATT&CK MATRIX:
| Technique ID | Technique | Technique details |
| T1059 | Execution | Command-Line Interface |
| T1012 | Discovery | Query Registry |
NetWalker
Another Ransomware which has leveraged COVID-19 is Netwalker. The Ransomware used the filename “CORONAVIRUS_COVID-19.vbs” to trick users into executing it. The VBS file contained the embedded Ransomware payload.
On execution of vbscript, the Ransomware is dropped in “C:\Users\<UserName>\AppData\Local\Temp\qeSw.exe” and executes it.
It Deletes the shadow copies from the machine with vssadmin.exe to make file recovery more difficult.
Below shows the Obfuscated vbscript
The ransomware iterates through the folders of the infected machine and encrypts the files. Once encrypted the file extension is changed to <filename>.1fd385. A ransom note is also dropped in each folder where files were encrypted. This note is shown below.
IOCs
| Type | IOC | Comment |
| Sha256 | 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967 | CORONAVIRUS_COVID-19.vbs |
| Sha256 | 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160 | Dropped Binary |
MITRE ATT&CK MATRIX:
| Technique ID | Tactic | Technique details |
| T1204 | Execution | User Execution |
| T1064 | Execution | Scripting |
| T1106 | Execution | Execution through API |
| T1490 | Impact | Inhibit System Recovery |
| T1486 | Impact | Data Encrypted for Impact |
Nanocore RAT
NanoCore is a Remote Access Trojan (RAT) and its highly customizable plugins allows attackers to tailor its functionality to their needs. This RAT is also found to be using COVID-19 to distribute itself by using email subjects such as “Covid-19 Urgent Precaution Measures”.
IOCs
| Type | IOC | Comment |
| Sha256 | ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730 | Dropped Binary |
| Sha256 | 89b2324756b04df27036c59d7aaaeef384c5bfc98ec7141ce01a1309129cdf9f | Iso Attachment |
| Sha256 | 4b523168b86eafe41acf65834c1287677e15fd04f77fea3d0b662183ecee8fd0 |
MITRE ATT&CK MATRIX:
| Technique ID | Technique | Technique details |
| T1193 | Initial Access | Spear phishing Attachment |
| T1053 | Execution | Scheduled Task |
| T1060 | Persistence | Registry Run Keys / Startup Folder |
| T1143 | Defense Evasion | Hidden Window |
| T1036 | Defense Evasion | Masquerading |
| T1497 | Defense Evasion | Virtualization/Sandbox Evasion |
| T1012 | Discovery | Query Registry |
| T1124 | Discovery | System Time Discovery |
| T1065 | Command and Control | Uncommonly Used Port |
Hancitor
Hancitor trojan has also uses COVID–19 themes to spread itself by posing as an email from insurance company. The email contains a link to download a fake invoice which downloads a VBS file.
On executing the VBS, the Hancitor dll temp_adobe_123452643.txt is created in the %AppData/Local/Temp folder. The DLL is executed using the Regsvr32.exe and then begins to communicate with its C&C.
IOCs
| Type | IOC | Comment |
| Sha256 | 2f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3 | Downloaded Binary |
| Sha256 | 0caef2718bc7130314b7f08559beba53ccf00e5ee5aba49523fb83e1d6a2a347 | Downloaded Binary |
| Sha256 | 375d196227d62a95f82cf9c20657449ebea1b512d4cb19cdfe9eb8f102dd9fa | Downloaded Binary |
| Sha256 | 0b8800734669aa7dbc6e67f93e268d827b5e67d4f30e33734169ddc93a026 | Downloaded Binary |
| Sha256 | 9c40426f157a4b684047a428428f882618d07dc5154cf1bf89da5875a00d69c |
MITRE ATT&CK MATRIX:
| Technique ID | Technique | Technique details |
| T1192 | Initial Access | Spear phishing Link |
| T1064 | Execution | Scripting |
| T1117 | Execution | Regsvr32 |
| T1071 | Command and Contro | Standard Application layer
Protocol |
Heat Map
This detection heat map shows a snapshot of the various countries where McAfee has observed a detection for known IOC’s since mid-January. We have observed detections in almost all the countries which have been impacted by the COVID-19 pandemic.
Spam
There have been thousands of COVID-19-themed spam emails sent daily. They range from medical supply scams to extortion. Below are a few examples of the ones we have observed.
URL
We have observed the number of Malicious URLs with references to COVID-19 and Coronavirus spike in the last few weeks. The numbers increased from 1,600 a few weeks ago to over 39,000 in week 13. This highlights the importance of being vigilant when clicking on links and accessing websites as the number of malicious sites is increasing exponentially.
Here are examples of malicious websites we have. False advertising is a common practice during such pandemics. At the time of this writing, there aren’t any quick testing kits available. Also testing is initiated by health care providers and therefore it is important to educate yourself and others around you to not buy into scams.
The following is an example of a fake website which offers Coronavirus testing services.
Face masks have been in high demand and in many places have run out. Additionally, there has been a shortage of masks even with the health care community. At times of panic and shortage, it is common for spammers to send out links to fake sites claiming to have medical supplies equipment. Here is a screenshot of fake online shop selling face masks.
GTI provides categorization and classification of links serving malware, phishing, scamming etc. McAfee products leverage GTI for URL protection. Also, McAfee’s Unified Cloud Edge provides secure access and expands your capabilities for URL protection.
Read about an example of one McAfee researcher is giving back by 3D printing masks and shields.
IOCs
Below is a partial list of IOCs we have observed in the field which have taken advantage of the Covid-19 outbreak. The IOCs in this section are a subset of those detected by McAfee’s solutions. We have broader coverage provided by our GTI Cloud, gateway, ATP and other products in our portfolio.
| Type | Value |
| SHA256 | 2ec4d4c384fe93bbe24f9a6e2451ba7f9c179ff8d18494c35ed1e92fe129e7fa |
| SHA256 | 7e52f7a7645ea5495196d482f7630e5b3cd277576d0faf1447d130224f937b05 |
| SHA256 | 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6 |
| SHA256 | f92fecc6e4656652d66d1e63f29de8bfc09ea6537cf2c4dd01579dc909ba0113 |
| SHA256 | a5ab358d5ab14b81df2d37aedf52716b5020ab45da472dedc8b8330d129d70bf |
| SHA256 | 8028f988c145b98ddd4663d3b5ec00435327026a8533924f7b8320c32737acf4 |
| SHA256 | aab93bf5bb0e89a96f93a5340808a7fa2cebf4756bd45d4ff5d1e6c8bdccf75d |
| SHA256 | 2e93fe77fafd705e6ca2f61f24e24a224af2490e0a3640ed53a17ea4bf993ec8 |
| SHA256 | f850f746f1a5f52d3de1cbbc510b578899fc8f9db17df7b30e1f9967beb0cf71 |
| SHA256 | dd78b0ecc659c4a8baf4ea81e676b1175f609f8a7bba7b2d09b69d1843c182cb |
| SHA256 | e352c07b12ef694b97a4a8dbef754fc38e9a528d581b9c37eabe43f384a8a519 |
| SHA256 | e82d49c11057f5c222a440f05daf9a53e860455dc01b141e072de525c2c74fb3 |
| SHA256 | 8bcdf1fbc8cee1058ccb5510df49b268dbfce541cfc4c83e135b41e7dd150e8d |
| SHA256 | 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8 |
| SHA256 | 002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124 |
| SHA256 | da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7 |
| SHA256 | 08c1aca51ae6917ed138ec70cc7768b935d13fbd743e85191877006626fdc530 |
| SHA256 | a9864b548d71c95333efd81d9fb000347bc715c7430e24f37f5bbbde4f2adf39 |
| SHA256 | 8deba9fb53096d6ea5e2090b662244293829096eee03d06108deb15e496a807e |
| SHA256 | c3477ca9a51e9eb1a93188fe2bd412830163f44b0954573d225736c530dd5fd2 |
| SHA256 | 3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a |
| SHA256 | 11a834cda4a55c8adb663fbcdd4b1f1018715dd737d3089a731b9840b77e5e76 |
| SHA256 | bc03c23a46a545addd1831e133b74bd2e62eb920041f18a23ec9719ea052e642 |
| SHA256 | 8075381d210f7e79ee387927b7d6d690521c01ba6d835d07c4e8f023b3c164ce |
| SHA256 | 75d7d989deea561443c1c204ad22537d0c131f57820594ab5f07baba16dbc58b |
| SHA256 | 0cc54663439a55191b77e0735b7460a7435dc01542e910d75eae20ce7bb513e5 |
| SHA256 | c40a712cf1eec59efac42daada5d79c7c3a1e8ed5fbb9315bfb26b58c79bb7a2 |
| SHA256 | 63fcf6b19ac3a6a232075f65b4b58d69cfd4e7f396f573d4da46aaf210f82564 |
| SHA256 | ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730 |
| SHA256 | 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967 |
| SHA256 | 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160 |
| SHA256 | 0caef2718bc7130314b7f08559beba53ccf00e5ee5aba49523fb83e1d6a2a347 |
| SHA256 | 375d196227d62a95f82cf9c20657449ebea1b512d4cb19cdfe9eb8f102dd9fae |
| SHA256 | 0b8800734669aa7dbc6e67f93e268d827b5e67d4f30e33734169ddc93a026d2e |
| SHA256 | 12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b |
| SHA256 | f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e |
| SHA256 | ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730 |
| SHA256 | da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7 |
| SHA256 | 3386dc7dc67edd5e84244376b6067e3767e914a1cc1fc7fd790a6aa68750a824 |
| SHA256 | 3fc33b537fb38e1f586ddb3ebbbe152458dcde336c2f26da81d756e290b5ef00 |
| SHA256 | 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732 |
| SHA256 | 0a84308348fee6bbfe64a9ef23bb9c32cb319bcdf5cf78ddfda4a83dadea4b8e |
| SHA256 | ba4297978b6a6b5fe2b66c32ead47bbd1f2e2f549beed5cd727eb9ae3fed6b6a |
| SHA256 | c9d3c250ab6d8535b7a4114a1e9545f0b9bc24e4e277640c59b7555f38727885 |
| SHA256 | 37354a04f6d423809602e198e590469173cc8e930cc7fdd4da2c2072977251e9 |
| SHA256 | 3a7a8518b41dd6c05289a08974c95a0038be4e5d1b0588edfd0589fcf22b0c8f |
| SHA256 | ea3a0a223474592635d1fb7a0731dd28a96381ad2562e3e064f70e2d4830c39d |
| SHA256 | 140da6b610a45f84c6438207ab11942d79eb37831551810f87baae80cfff4593 |
| SHA256 | 2c9c1e04d806ad8890dd6bf4477efb4ea6c78b8185a9996876bcaea568a04e70 |
| SHA256 | 8a724fc60bde738694779751d6c63a7ed1caa03518b8f26b9acb36d5c1b29930 |
| SHA256 | d765980228492758a11e534e45924311aef681cb5859f701cd457b6b871c2d06 |
| SHA256 | d8183919d675978d58cd1f134768f88adeea9ce53b167c917e54fff855c6d9f9 |
| SHA256 | ac416780fa4aa340fff2787e630351c5813faceb823424817eb10e82254b785d |
| SHA256 | 3cd099efe4cb426fdc6276380c224b5478d0841c5c44d2c0a088d039d529d258 |
| SHA256 | c135f36d3346699e6d2bf9f5f5f638fd9475c0b12144a15a0652b8f1ebb25c12 |
| SHA256 | 49cfa1b3cbe2bf97079c0dd0a9f604e3f2e7d9fbb6d41128a9889e068aa884f6 |
| SHA256 | 5e20a0ab563950eab76c023101b1dd374becac2a5149a74320b23b59a7f16256 |
| SHA256 | 7a9f249978c959e1f11f2992a8ce4a70ba333c8dbdc2638c780bbbe62de4808e |
| SHA256 | c6dc408d60c2354a13e835bf826300a6d5258b72b8826e8c46d946cbc1f0b455 |
| SHA256 | b04584ee8b3ba565541cb0f4d8787ed6e8942b6bdec5b1acdc03488b93aeb3cb |
| SHA256 | b283e4f841e328f0cc12ebdf76aafb819ebadba7df863681994b69697731cf96 |
| SHA256 | adde95e8813ca27d88923bd091ca2166553a7b904173ef7a2c04bb3ddf8b14a9 |
| SHA256 | bf178911f2c063c9592020652dc22076d02ca87d14a7ed7862074d334470ae32 |
| SHA256 | 3981d933de93f55641fdf8cfe980e40a0bf52ce8b022735e8ebc4f08cbb19104 |
| SHA256 | aa6ceb17ced471e1695c99c0718bc24c710311f0daa256cb0783d82218d772c9 |
| SHA256 | f7209d1099c75acccbef29450271d821fd78ad52176f07aa8a93a9e61e9eaa7f |
| SHA256 | eab14b1bfa737644f14f7bb7ace007d418230285364e168e35bd718a6517b316 |
| SHA256 | b34f4ec4ae8d66b030f547efe3acc2a71c9ab564f78aac68719ec91dab613bb3 |
| SHA256 | 006dc4ebf2c47becdc58491162728990147717a0d9dd76fefa9b7eb83937c60b |
| SHA256 | e17dca7c2c05139fc81302e76e0e9aaa29368b60cb147208cbcb5c8df113f6f6 |
| SHA256 | 2e47f37bef4dea338e366ce30fe54888e5aaa2d47a5c0db4a3c3e9e5c25f8ace |
| SHA256 | 21182b7834a7e13033be7b370a68b3d3639f4cae12fe80e2a908404cbd4cd324 |
| SHA256 | 46f81af256c630969f55554ea832037bc64df4374ec0f06ac83a1c4b89869314 |
| SHA256 | 89a0147dec8d6838f14815b577ae41dbcf54953c66e7f5f999ab91fea6ec08fa |
| SHA256 | 2f3ee4688a31c8d249b8426f46e392d9c55b85bfad9fb31fb362eb32d38bd9b3 |
| SHA256 | f2a2bea86ce1a4803345b4aa46824c25d383a0b40b10bb69e528c72305552a2a |
| SHA256 | 698eb726345c71eca7b4a531bfa76ab6e86ef100f943a727fb5866a84ec79289 |
| SHA256 | 92af9c8c539ff9f99f79cce8453b1c483d117c095e2e0ffe384d96e35f72dc8b |
| SHA256 | 7cf8f24d7e8b1e2f63bfa7a18cd420a03fff44126e80aed8cb90fba3c4e986ac |
| SHA256 | 1e4b01e3e146ff01a3782b01680a5165432af556331d599ec6ad35b4983b216f |
| SHA256 | cba1c3070f76e1a2705afee16bd987b6a8ffa45900cab8cf3b307f60a7b89ac9 |
| SHA256 | e32cca6446f2ddd8430400b16fc171ab3163cf8222669d7d9144e9c85904d5f5 |
| SHA256 | 8c0a8d6876a6c7fe44962883561d9f48615ee67f4544872ec98f47edcf516509 |
| SHA256 | a080d763c60efd4ef2781ad3090c997d1092ac726707366d92d647f26ee2965f |
| SHA256 | 9d58ca5383fef5dc837ca9d4251d247bed4ead4a6b90a9aae30568be80e20543 |
| SHA256 | 345d8b4c0479d97440926471c2a8bed43162a3d75be12422c1c410f5ec90acd9 |
| SHA256 | 39c17475bdb019010453085830e7f8aa1ef41ca182982491306fcf75166b8e08 |
| SHA256 | bdcef0f16c70086414ff95b69fdbbe7eb0c9814308d3d60143b6c04dfc077257 |
| SHA256 | 7a97fc7bdd0ad4ef4453c2e52dd8f44dee9b4e91ff3b5518e311ef1ebac3b667 |
| SHA256 | 2437ef90b60cf3d6bd0c3eebf3f41ed1e403bc31b024b52b0f41ec648d80a583 |
| SHA256 | a537c75de9a95be0c071fd6437cbaf3696752f02c3cd5afa1c9cc47c4c755f75 |
| SHA256 | 9367f3ea7460ae40ca69d41398327f97136a93656ef5fad1285a0b82f81522a4 |
| SHA256 | 78cf7ea3c1da98941e164f4ac3f75b57e9bce11467bc5a6c6877846f1adcf150 |
| SHA256 | e55efa92d87484cf6b251f2302a0c0c7650acd7ea658bf9997bf761b64fe472a |
| SHA256 | 51f0e9b151bde97ebeb813d6eed8a11f02551a6530049f53dc29fc1a20b6699d |
| SHA256 | e382ee1ce9d99f4e8e18833bac121c14ee2e5dc29a8b5382ca5b4eda9db7f1aa |
| SHA256 | e250d977e47e7809086dd35a2767f9ef557591dd00e9ce96ef4071e4f0d8c670 |
| SHA256 | 50a3bea4b9686bcf5cac144d4fc18aa178f66c8368205f9065cd1d9a2c41f026 |
| SHA256 | 722a60dfd59a595daa487f2fb759ef6f9ccaabcdf20605d5ae9450cba4a9b9b2 |
| SHA256 | 1c3532d143212078e204d0f81a782deacd58e8f0e7253472e0509491fd1e5201 |
| SHA256 | 980de93ad93ecaabc048c9fcc9d62e43eeb32f216c4177963cf1bd94ad53074b |
| SHA256 | a286e3be694b9525530ec6a65b71a8a91e04042c3471e8a9e440f503fe8ce995 |
| SHA256 | dbcef5c217a027b8e29b1b750c42a066650820a129543f19364bcb64ac83bc07 |
| SHA256 | 80f8877406e899c6274331aa991b8d1f4f087e3233c36d39fbaebb729c294899 |
| SHA256 | 32753598f94412fe3dc382dc12dcf2edf7881d9f07814c82aeec36481b9362b5 |
| SHA256 | 0fdc97da1c297e6fef93910008fc5c47cbdcd3e2987bc163467b34f56de112ff |
| SHA256 | 501cc107e410b245d1b95b64ae0afdae758375b4b3724acfda44041bad963232 |
| SHA256 | 31cb82cd750af6af9ecf369fd26d47dc913f6b56be6ea12b10fe6dd90ef1b5df |
| SHA256 | da87521ecc146a92a7460a81ebb5ca286450f94c8c9af2a4b3c6c8a180d421c5 |
| SHA256 | 2bcd35bfb7e4dbdbbf64fce5011199947794425093be7bc74829bfeadb89f0a3 |
| SHA256 | 90c3d8d13ea151bce21a1f4b842d0ed4eaff09842b23311b2326cf63957fc2b2 |
| SHA256 | 257afe9f4d7b282b1c0b2f3ebb7e1e80e96c8e0214f1b80ea2b7b636a4e7747d |
| SHA256 | 587840d28f2585dd5207731d7fda86a0966c82fa592a26f9148b2de45526db55 |
| SHA256 | 80ee20c604d5d4b51a30dc21da271651f3c085c40281e3ff3e2ee0175d2ca98d |
| SHA256 | 11b4519b76957b0758381f8e19c5e15d8744f7974716642aeb586c615dde38fa |
| SHA256 | 6c34cca35d98e464c2f74abd9be670c7f8f707f37cd3f0fd4746c49f8fcf6b07 |
| SHA256 | 0a8aa3f413a8989bb89599dfc2404f7d34dfbb2e3ce26e900d228e9e8c8908b8 |
| SHA256 | c57fa2a5d1a65a687f309f23ca3cfc6721d382b06cf894ee5cd01931bbc17a46 |
| SHA256 | 9f27a826b4b873c9ea23e023f54d5291a50004d67dd5fe64d1f8c8e8b51b74e3 |
| SHA256 | 2037c7cc809ed3eddd1338d2bec6266cdb449dbf8ff3510fd360a08d229d4f40 |
| SHA256 | 8f91d27d3a59c08ab4c453b2679f4620696ba67c56280a4c3757368acb20aad3 |
| SHA256 | e8221acccdb8381b5da25a1f61f49dda86b861b52fafe54629396ed1e3346282 |
| SHA256 | dc66811ce189240c510733be9e1a2175079dddb80ebf02faaa044fce1f7134d0 |
| SHA256 | 5b7db5046ba22a6242d5ff6e8f538ad43bba53810117d5eb8f023215aad26e6b |
| SHA256 | f6879431b901df789082452c1c4ffa29e857d247886e421df6dda5fb3d81ca5e |
| SHA256 | 4a272dd4a5c6261e983d667dd676875054dd4a4ea11620f16c553fcfd2c44861 |
| SHA256 | cc2507ddd53a6f00265f3be51d7217def786914bd1d700ec3c74a2a7107b3476 |
| SHA256 | 9e4cb963e509fbde6de003a81a3e19cfc703be1c41d20f4b094a0fa89d6ad02c |
| SHA256 | b14d70827d5d668aeb31e94be512fea9fb38ead8ec12cdf7617616801c76b6e9 |
| SHA256 | b49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3 |
| SHA256 | 4c9e35f3d5f555dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb |
| SHA256 | acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617fef76f2e87f |
| SHA256 | 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732 |
| SHA256 | c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd |
| SHA256 | c322d10ef3aa532d4625f1c2589eae0f723208db37a7c7e81e4f07e36c3a537e |
| SHA256 | 3c756d761e89a0ea1216e2b7e57250ac76a80d5fe4f072e3b4b372e609ece74e |
| SHA256 | 2a42f500d019a64970e1c63d48eefa27727f80fe0a5b13625e0e72a6ec98b968 |
| SHA256 | 679a8519587909f655bacea438168cbb4c03434aede9913d9a3a637c55a0eae7 |
| SHA256 | e9766b6129d9e1d59b92c4313d704e8cdc1a9b38905021efcac334cdd451e617 |
| SHA256 | 80392bebe21245128e3353eec7f499bdc5550e67501eceebf21985644d146768 |
| SHA256 | 215c72df44fe8e564d24f4d9930c27409e7f76e2045c67940cdcecdbdbd3b04f |
| SHA256 | 9e12094c15f59d68ad17e5ed42ebb85e5b41f4258823b7b5c7472bdff21e6cee |
| SHA256 | 1c98a36229b878bae15985c1ae0ff96e42f36fa06359323f205e18431d780a3b |
| SHA256 | e9621840e1bfaf16eaee37e2d1e9d1f0032158a09e638eaebff6d8626d47c95a |
| SHA256 | c51658ed15a09e9d8759c9fbf24665d6f0101a19a2a147e06d58571d05266d0a |
| SHA256 | 5187c9a84f5e69ba4b08538c3f5e7432e7b45ac84dec456ea07325ff5e94319a |
| SHA256 | ddb24e0a38ba9194fe299e351e54facb2cca9e6011db2f5242210284df91f900 |
| SHA256 | 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6 |
| SHA256 | d7f15f750cceeb9e28e412f278949f183f98aeb65fe99731b2340c8f1c008465 |
| SHA256 | 238fa49ed966cb746bffee3e7ca95b4a9db3bb0f897b8fd8ae560f9080749a82 |
| SHA256 | 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6 |
| SHA256 | f92fecc6e4656652d66d1e63f29de8bfc09ea6537cf2c4dd01579dc909ba0113 |
| SHA256 | 5b12f8d817b5f98eb51ef675d5f31d3d1e34bf06befba424f08a5b28ce98d45a |
| SHA256 | 3b701eac4e3a73aec109120c97102c17edf88a20d1883dd5eef6db60d52b8d92 |
| SHA256 | b49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3 |
| SHA256 | acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617fef76f2e87f |
| SHA256 | 4c9e35f3d5f555dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb |
| URL | https[:]//onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21171&authkey=AMI1YV6jNxclaec |
| URL | http[:]//popeorigin[.]pw |
| URL | http[:]//dewakartu[.]info/wp-includes/BRVMFYvIR/ |
| URL | http[:]//drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/ |
| URL | http[:]//dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/ |
| URL | http[:]//rasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/ |
| URL | http[:]//easytogets[.]com/xfxvqq/UxbKAbm/ |
| URL | https[:]//cloud-security[.]ggpht[.]ml |
| URL | http[:]//secure[.]zenithglobalplc[.]com/assets/plugins/bootstrap-wizard/system_x64[.]exe |
| URL | http[:]//motivation[.]neighboring[.]site/01/index[.]php |
| URL | https[:]//onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=
265DAF943BE0D06F%21171&authkey=AMI1YV6jNxclaec |
| URL | http[:]//tailuong[.]com[.]vn/[.]xxx/playbook/onelove/fre[.]php |
| URL | https[:]//www[.]onetimeroma[.]com/lost/rockstar[.]php |
| URL | https[:]//www[.]chapeauartgallery[.]com/SUPPORTS/locals[.]php |
| URL | http[:]//www[.]discusshoops[.]com/DISQUS[.]php |
| URL | https[:]//chomyflozy[.]duckdns[.]org |
| URL | http[:]//www[.]slacktracks[.]info/e12/?LJfxZ=hO3hBkxu1F/QQoVtLv3IhDwCcknmtRcJonnhtJ3R0BM0GC3rHSS1kgq0DEskVYHjDJX+/Q==&Vp8h=cz7tTz9p-90h4gt |
| URL | http[:]//www[.]webfeatusa[.]net/e12/?LJfxZ=1CbYOqydIT70m9XPNsNZ3X3NgDEVQnw/rRrz+k+vF8uL+qJ4J3WKysbsjxdZCzgGrC1++w==&Vp8h=cz7tTz9p90h4gt&sql=1 |
| URL | http[:]//www[.]makeupprimerspray[.]com/e12/?LJfxZ=NSQopDdawCOOQSyQXUSgSx+w/7t91r6e8z0AUnmVGKAxI+P615MDhQgbvUIoIJuh35rtRQ==&Vp8h=cz7tTz9p90h4gt&sql=1 |
| URL | http[:]//mercadosonntag[.]com[.]br/sK2vbV3 |
| URL | https[:]//corona-virus-map[.]net/map[.]jar |
| URL | http[:]//corona-virus-map[.]com |
| URL | http[:]//arinnnnnnnn[.]ddns[.]net |
| URL | http[:]//tailuong[.]com[.]vn/[.]xxx/playbook/onelove/fre[.]php |
| URL | http[:]//bralibuda[.]com/4/forum.php |
| URL | http[:]//greferezud[.]com/4/forum[.]php |
| URL | http[:]//deraelous[.]com/4/forum[.]php |
| URL | http[:]//bslines[.]xyz/copy/five/fre[.]php |
| URL | http[:]//dewakartu[.]info/wp-includes/BRVMFYvIR/ |
| URL | http[:]//dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/ |
| URL | https[:]//healing-yui223[.]com/cgi-sys/suspendedpage[.]cgi |
| URL | http[:]//109[.]236[.]109[.]159/vnx8v |
| URL | http[:]//www[.]drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/ |
| URL | http[:]//85[.]96[.]49[.]152/6oU9ipBIjTSU1 |
| URL | https[:]//urbanandruraldesign[.]com[.]au/cdcgov/files/ |
| URL | http[:]//198[.]23[.]200[.]241/~power13/.xoiaspxo/fre.php |
| URL | http[:]//helpvan[.]su/ |
| URL | http[:]//erasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/ |
| URL | https[:]//share[.]dmca[.]gripe/jUuWPW6ONwL1Wkux[.]bin |
| URL | https[:]//gocycle[.]com[.]au/cdcgov/files/ |
| URL | https[:]//onthefx[.]com/cd[.]php |
| URL | http[:]//186[.]10[.]98[.]177/faHtH2y |
| URL | http[:]//dewakartu[.]info/wp-includes/BRVMFYvIR/ |
| URL | http[:]//drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/ |
| URL | http[:]//dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/ |
| URL | http[:]//erasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/ |
| URL | http[:]//easytogets[.]com/xfxvqq/UXbKAbm/ |
| URL | http[:]//dw[.]adyboh[.]com |
| URL | http[:]//wy[.]adyboh[.]com |
| URL | http[:]//feb[.]kkooppt[.]com |
| URL | http[:]//compdate[.]my03[.]com |
| URL | http[:]//jocoly[.]esvnpe[.]com |
| URL | http[:]//bmy[.]hqoohoa[.]com |
| URL | http[:]//bur[.]vueleslie[.]com |
| URL | http[:]//wind[.]windmilldrops[.]com |
| URL | http[:]//vahlallha[.]duckdns[.]org |
| URL | http[:]//cloud-security[.]ggpht[.]ml |
| URL | http[:]//kbfvzoboss[.]bid |
Recommendation
This section contains some recommendations which we encourage you to follow. In addition, please also read the following blog also provides some guidance for organizations that have a workforce working remotely and about how McAfee Unified Cloud Edge can help.
Software Updates
As with all our publications, we encourage all our customers to keep their McAfee software up to date. This ensures that you will have the latest signatures and rules to help protect against similar threats to the ones mentioned in this report.
We also recommend installing the latest OS patches, VPN Patches and all other software updates on your machine. In addition we highly recommend utilizing SASE solutions such as McAfee’s Unified Cloud Edge.
Spotting Spam/Phishing emails
The best way to protect yourself is to not open unsolicited emails as malicious files are often distributed via email with the use of attachments or links. To help identify malicious emails, please read this blog: How to Spot Phishing Lures
Global Threat Intelligence (GTI)
McAfee GTI uses heuristics and file reputations checks on suspicious files through on-access scanning and on-demand scanning. This can provide near real time protection. The following KB Article contains the steps for changing the GTI sensitivity level on McAfee products.
You can configure the sensitivity level that McAfee GTI uses when it determines if a detected sample is malware. The McAfee GTI sensitivity level is set to Medium by default. Configure the sensitivity level for each scanner in the On-Access Scan and On-Demand Scan settings.
Sensitivity Level:
- Very low — High confidence detections. Less aggressive GTI Setting, also least FP prone.
- Low — This setting is the minimum recommendation for systems with a strong security footprint.
- Medium — default setting on most products.
- High — Use this setting for deployment to systems or areas which are regularly infected.
- Very high — Most aggressive. Detections found with this level are presumed malicious but haven’t been fully tested. McAfee recommends using this level for systems that require highest security but may also result in higher false positive rate.
Endpoint Security (ENS) Product
ENS is our Endpoint Security product and provides a broad range of default protection, self-help protection and detection abilities.
Expert Rules
Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3 and above.
Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system at a very granular level. This is a very useful toolkit for administrators and SOC’s and allow quick creation and deployment of powerful extensions to detect and protect ability. You can author monitoring and blocking for processes, files, memory injection, module load and unload events, etc.
We recommend reading the following blog which describes how to use Expert Rules and gives some good examples which would help block potentially malicious activity.
- Using Expert Rules in ENS to Prevent Malicious Exploits
- Endpoint Security 10.6 Threat Prevention Product Guide
Here are some examples of quick expert rules you can formulate to utilize at your endpoint against Covid-19 related threats
Example Rule – 1
The following rule helps block archived corona named executables accessed from inside archived email attachments
Rule {
Process {
Include OBJECT_NAME { -v “**” }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v “**\\appdata\\Local\\temp\\Rar*\\*corona*.exe” }
Include OBJECT_NAME { -v “**\\appdata\\Local\\temp\\Rar*\\*covid*.exe” }
Include -access “CREATE”
}
}
}
Example Rule – 2
The following rule helps block COVID named document containing macros accessed from email attachments or downloaded locations
Rule {
Process {
Include OBJECT_NAME { -v “**\\winword.exe” }
Include PROCESS_CMD_LINE { -v “**corona**” }
Include PROCESS_CMD_LINE { -v “**covid**” }
}
Target {
Match SECTION {
Include OBJECT_NAME { -v “**\\vbe7.dll” }
Include OBJECT_NAME { -v “**\\vbe7intl.dll” }
}
}
}
Example Rule – 3
The following Expert rule prevents certain version of Foobar Communication software from executing.
Rule {
Process {
Include OBJECT_NAME { -v “**” }
}
Target {
Match PROCESS {
Include DESCRIPTION { -v “FooBar Communications ” }
Include VERSION { -v “4,5,**” }
Include -access “CREATE”
}
}
}
Expert rules are flexible that the SOC analyst / author can test the rules in report only mode and then check for potential falses in the environment. Finally, they can be turned on to block mode.
JTI Rules
JTI Rules are released fortnightly and they target suspicious process chains and command-line threats. They also additionally detect suspicious files based on locations / characteristics. From the collection of JTI rules, we recommend turning on the few of Evaluate or HighOn rules for advanced threat protection. These rules can be turned default on from the EPO console.
- Protection from suspicious Command line parameters where malware invokes PowerShell with command-line parameters for malicious activities. This rule is identifiable in the EPO console with the rule id 262.
- Rule:262 – Identify suspicious command parameter execution for Security rule group assignments
- Protection from malware launching suspicious command-line based script applications like WScript, CScript, and PowerShell. This rule is identifiable in the EPO console with the rule id 320.
- Rule:320 – Prevent cmd.exe from launching other script interpreters such as CScript or PowerShell by default only in Security rule group assignments
- Protection from files being executed from non-standard locations like \windows\fonts or \windows\resources location. This rule also protects spawning of wmiprvse.exe from suspicious process’s like foobar.exe, etc. This rule is identifiable in the EPO console with the rule id 238
- Rule 238 – Identify abuse of common process’s spawned from non-standard locations
Fortnightly released JTI rules are normally released in Evaluate or HighOn setting. We recommend EPO admins to go through the release notes of the product and enable rules that suits their environment.
Enable AMSI
AMSI by default is set to observe mode. We recommend changing this to block mode as it will detect a vast majority of threats which are often email based such a JavaScript downloaders.
Please read this blog to find out more about AMSI and which threats it helps detect.
Suspicious Email attachment detection
As shown in this report, Email remains a top vector for attackers. McAfee endpoint products use a combination of product features and content for increased agility. In McAfee Endpoint Security (ENS) 10.5 and above, such protection is enabled via the ‘Detect suspicious email attachments’ option and maintained through DAT content. This capability goes beyond the level of protection offered by email clients by not only blocking applications and scripts, but also a variety of threat types in their native form, as well as those compressed and contained within archives and other formats.
For a guide on how to enable this please read this blog: McAfee Protects Against Suspicious Email Attachements
ATP (Adaptive Threat Protection)
McAfee ATP (Adaptive Threat Protection) utilizes Machine Learning via our Real Protect Module. This provides pre and post execution monitoring of threats using ML models that are deployed locally and in the cloud. In addition, ATP provides and additional layer of protection with advanced rules for threat evaluation based on static and behavioral features.
We recommend enabling Real Protect at the default settings at the minimum. ATP rules come in three forms: Evaluate, DefaultOn and HighOn.
- Evaluate rules are tested in the field by McAfee to determine if they are robust enough to detect malicious activity. They do not block by default but log activity in the ATP log. Such rules can be enabled by administrators via EPO to Block. McAfee researchers on a regular basis analyze performance of such rules and make modifications to promote them to DefaultOn (Rule Assignment to Balanced (default)) or HighOn (Rule Assignment to Security). Prior to manual enablement for Block mode, it is recommended that you observe triggers via the ATP logs to ensure they suite your environment.
- DefaultOn rules are high confidence rules that block by default within ENS ATP and MVISION Endpoint. They can be turned off if required by administrators from within EPO.
- HighOn rules detect behavior that is known to be malicious but may have some overlap with non-malicious applications. These rules work as Evaluate in balanced posture but act as DefaultOn in Security posture. Administrators are encouraged to utilize this setting to during high malware activity events for monitoring and default blocking.
For details on Rule descriptions, security posture and settings please refer this KB Article: https://kc.mcafee.com/corporate/index?page=content&id=KB82925
Unified Cloud Edge
Get a SASE (Secure Access Service Edge) architected web protection solution like McAfee’s Unified Cloud Edge. This delivers anytime/anywhere protection (like WFH scenarios) for web traffic, cloud-native and cloud-to-cloud traffic – whether you’re on a VPN, or directly connected to the internet. As an example, even if you access a link from a malicious email or visit a hostile site in a non-VPN setting, you will continue to benefit from our GTI and cloud-based threat to protect against malicious sites and downloads. Unified Cloud Edge can expand your capabilities for URL protection by providing the following:
- Malicious URL – blocked via GTI and URL
- Block any download from a benign URL (example: onedrive.live.com) – possible to block via tenant restrictions. For example: corporate Onedrive permitted, personal (live.com) or other companies blocked.
- Malicious download – blocked by the cloud gateway file engines, including AV, GAM, and GTI.
- 3rd party Malicious upload (placing a payload in an open share on the company Onedrive) – blocked via API-based scanning of the corporate sanctioned services, same AV/GAM/GTI layers of inspection.
MVISION Unified Cloud Edge protects data from device to cloud and prevents cloud-native threats that are invisible to the corporate network. This creates a secure environment for the adoption of cloud services, enabling cloud access from any device and allowing ultimate workforce productivity.
Conclusion
As you can see from this report, there are various threats which are taking advantage of this pandemic. We will continue to enable our customers to use our recommendations to remain safe during this challenging time. Be extra vigilant online and stay safe and healthy always!
As we continually provide recommendations based on current data, we encourage regular reading of McAfee blogs where you will find regular updates on threat patterns and protection information.
The post COVID-19 – Malware Makes Hay During a Pandemic appeared first on McAfee Blogs.