A Fake COVID-19 Contact Tracing App Hides Unicorn Ransomware

Unicorn Ransomware Covid-19 PC App

Usually, you can tell a lot about a cybercriminal from their attacks. The tricks they use often give us a good idea of how sophisticated the adversary is, but a recent campaign distributing the Unicorn ransomware proved that sometimes, looks can be deceiving.

The Unicorn ransomware hits Italian pharmacies

The attack was first detected by a security researcher going by the nickname JamesWT. It appears to be aimed squarely at Italian pharmacies, and it's taking advantage of the COVID-19 crisis to trick users into installing a relatively new ransomware strain called Unicorn.

Also known as F***unicorn, the malware appears to have been created especially for the purpose, and it looks like the attack is big enough to warrant an advisory from Italy's Computer Emergency Response Team (CERT).

The hackers have outdone themselves when it comes to social engineering

It starts with an email purporting to be coming from the Italian Pharmacist Federation. It says that the Federation is launching a beta version of a PC app that provides real-time data on the spread of the new coronavirus. There's a download link, and the hackers have used a technique called typosquatting to make the URL look more convincing.

The Italian Pharmacist Federation's website is http://www.fofi.it/, and the executable file is hosted at hxxtp://www.fofl.it (with a lowercase "L" instead of an "i"). By using a visually similar domain, the victim is less likely to notice that something's wrong. There are even more tactics to keep the attention away from the malicious activity.

Once launched, the malicious file displays a map with data that appears to have been copied from Johns Hopkins University. It is by no means a new tactic, but it's almost certain to keep the victim distracted while the ransomware is encrypting the infected PC's files.

So far, it looks like the attack has been launched by a professional hacker who knows what they're doing. When the experts dissected the ransomware and saw how it works, however, they realized that the attacker probably isn't that sophisticated.

The Unicorn ransomware is not a sophisticated threat

The researchers suspect that the attacker is Italian. There's a distinct lack of grammatical errors in the phishing email, and some artifacts left in the code suggest that the person who wrote the malware is called Leonardo.

Leonardo seems to be a fan of Greek mythology. The ransom note announces that the snake on Asclepius' staff is upset and that a new era is about to come. The encryption of the files is compared to Prometheus' fire, and the victim is told that by paying a €300 (about $330) ransom, they are given a chance to redeem themselves for "years of sins and abuses."

The ransom note includes a bitcoin address where the money should go, and there's also an email address that victims must use in order to get in touch with the hackers once the ransom is paid. A quick check reveals that so far, the bitcoin address included in the ransom note has registered no transactions, which is just as well because the hackers' email address appears to be invalid. It looks like Leonardo (or whoever is sitting on the other side of the Unicorn ransomware) has absolutely no intention of helping you get your files back.

Thankfully, you don't really need their help. An analysis of the ransomware shows that the password used to decrypt the files is sent in plain text and can be retrieved from the communication logs.

The flaws in the Unicorn ransomware compensate to some extent for the clever social engineering techniques and make the attack a bit less dangerous. The campaign shouldn't be underestimated, though. At any moment, the attackers can switch to a more powerful ransomware strain and cause all sorts of problems.

May 28, 2020

Leave a Reply