COVID vaccine trials

Grappling with COVID-Themed Cyber Attacks: Pharmaceutical Sector


The pharmaceutical industry has been in the crosshairs of cyber attacks, more frequently than ever, in the last few years. The industry appeals to cybercrooks, who are motivated by financial gains, as they generate and manage some of the most sensitive data. State-sponsored actors, with the support of governments and with the intention of settling scores with other countries, target their healthcare industries. In the event of a full-scale cyberattack, the pharmaceutical sector could incur huge losses, both financially and in terms of its invaluable data. The data, which includes Intellectual Property (IP) of patients, is then invariably sold on the dark web or held “hostage” for ransom. 

As a result, the affected organization sustains:

  • Legal penalties, 
  • Fines, 
  • Damage to business, brand reputation,
  • Lack of confidence in customers,
  • Declining revenue,
  • Network, utility outages,
  • Risk of supply chain disruption.

Recent COVID- Themed Cyber Attacks Based on the Region

India and APAC

Indian pharmaceutical giant Lupin confirmed a security incident that impacted its IT systems in November 2020 after a similar ransomware attack targeted Dr. Reddy’s Laboratories. The recent surge in cyber attacks in the Indian pharmaceutical sector is also because they are in the process of delivering affordable medicine on a large scale, owing to COVID-19. 

Interestingly enough, the ransomware attack that hit Dr. Reddy’s was soon after the company had received DCGI’s (Drug Control General of India) approval to conduct clinical trials of the Russian Sputnik-V vaccine. The personal information of individuals who participate in clinical trials are also at a risk of data exposure. Such attacks aim to derail the race towards a successful vaccine in India as well as other countries. The surge in cyber attacks against pharmaceutical companies in the APAC (Asia-Pacific) region has cost the industry close to $23 Million. 


From a global perspective as well, cyber crimes are increasingly targeting pharmaceutical companies. Recently, several European pharmaceuticals such as Swiss giant Roche, were attacked by a hacking group dubbed Blackfly. The activities of this group was traced back to China and it points to the conclusion that these attacks were state-sponsored. Blackfly, also known as the Winnti Group, deploys Winnti malware in all of their attacks, a malware known for its supply chain attacks. European manufacturers BASF and Henkel were also victims of the same ransomware group. 

Moreover, drug regulators like EMA (European Medicines Agency) have also not been spared from cyber attacks. The EU Drug regulator EMA confirmed that it was hit by a cyber attack and that the actors managed to access documents related to a COVID-19 vaccine. German biotechnology company BioNTech is in the process of developing a vaccine to treat COVID-19 along with strategic partner Pfizer. The duo suffered a cyber attack earlier this month and confirmed that its regulatory submission was accessed. 

Although EMA didn’t agree to the nature of the attack, it stated that few documents related to the regulatory submission by Pfizer and BioNtech vaccine candidates, stored on the EMA server, have been viewed. The timing of these attacks was impeccable, as EMA was working on getting the approval for 2 COVID-19 vaccines and it could have had devastating effects on the entire process. 


The US drug regulatory authority FDA (Food and Drug Administration), however, outsmarted threat actors looking to steal data from them and had COVID-19 related sensitive documents delivered to them physically through FBI agents. 

Experts across the globe have traced most COVID-related attacks on pharmaceuticals back to China, North Korea, and Russia. And although the victims of these attacks have not been named, we can confirm that at least some of these companies were infiltrated successfully. 

Countries like India, UK, US, Canada, France and South Korea are all at different stages of clinical trials and development of COVID-19 vaccine; and they have all been targeted by threat groups during this global health crisis. Reports have attributed the attacks to Russia-based threat group Strontium and North Korean threat actors Zinc and Cerium. Some of the methods believed to be part of their tactics are password spray and brute force attacks (by Strontium) to steal login credentials and spear-phishing, fake job offers (by Zinc). In one of the recent examples of phishing attacks, the operators behind Cerium sent spear-phishing emails masquerading as World Health Organization (WHO) officials. 

The Way Out 

Businesses should identify their most important digital assets as well as critical assets that facilitate smooth business operations and product development. This includes identifying critical data, its location, who has access to them, the network on which their mission-critical data resides, what are the attractive propositions for threat actors. Once the critical assets are identified, organizations should segregate and protect their assets. 

They should also allocate budget for a well-rounded security system which covers intrusion detection systems and threat intelligence software. This in turn keeps them updated regarding the status of their assets. With the help of a SaaS-based vulnerability alerting platform such as CloudSEK’s XVigil, your organization is equipped to protect their data, brand, and internet exposed infrastructure, against imminent cyber threats and breaches.

Analysing Third-Party App Stores for Modded APKs Through Signature Verification


Even after the ban of major Chinese apps like PUBG, they were available for download on third party app stores. Similarly, modified versions of apps such as Spotify and Hotstar, that offer access to premium services without intrusive advertisements, for free, are also popular on the third party app stores. Although such apps may look quite similar to their original versions, they are not developed by the same manufacturer. Users resort to third party app stores when certain apps are not available on official stores like Google Play store and Apple App Store, or if they are too expensive, or simply because they contain too many ads. Third party-app stores are popular among users due to the following features as well:

  • Provide access to the older versions of the app
  • Free games and applications as opposed to their expensive equivalent
  • Apps available in multiple languages
  • Downloads incentivized with perks such as virtual currency and other rewards
  • Access to beta versions of apps
  • Free-trial period for apps


High-Risk Modded APKs

Modded APKs are basically modified versions of genuine Android packages (APKs) that contain additional features, unlimited in-game currency, keys, or passes, etc. Such APKs may even contain backdoors that potentially compromise the device and its users. 


  • Hidden dangers in Spotify adfree apps

The third-party iOS app store TutuApp offers pirated versions of games/ apps, unauthorized games, as well as ad-free versions of applications like Spotify. In the particular case of Spotify, independent developers repackaged the original iOS app with a built-in ad blocker. Such applications request for independent permissions that allow threat actors to access different parts of a phone. 

TutuApp leverages Apple’s enterprise certificate program that allows other organizations to build and deploy in-house, proprietary apps for their employees. This is also another way to evade Apple’s screening process.



  • Suspicious Pokemon Go apps

Several applications associated with Pokemon Go have been repackaged and released into the wild, targeting both Android and iOS users. Here are the various categories these apps belong to:

  1. Repackaged versions of Pokemon Go, infected with Trojan (Android). For instance the Pokemon Go app injected with a RAT dubbed SandroRat.
  2. Repackaged versions of Pokemon Go, infected with adware (Android). 
  3. Malicious apps that masquerade as the Pokemon Go app, to carry out odd, unexpected activities such as enrolling oneself as the device admin (Android).
  4. Repackaged, modded versions of Pokemon Go that bypass in-app billing, spoof locations, etc. or disable jailbreak detection (Android and iOS).

Some of these apps are inherently malicious, made to target its users. While others have been tampered with and provide users with an advantage.


CloudSEK’s Analysis of Over 50 Third-Party Stores

For the purpose of an ongoing research, CloudSEK conducted an analysis on more than 50 third-party app stores. The main purpose of this study was to check the credibility of these stores and to detect whether the apps available on such stores contained any modded code that varied from the one in the official APK. In order to achieve this, the APKs of similar apps, belonging to the same version were downloaded from the official app store as well as the third-party app store. Then, we conducted signature verification on all third-party apps. 


The Process of Signature Verification 

By default, the Android OS requires all applications to be signed, to be installed. This signature allows you to identify the author of an application (which can be used to verify its legitimacy), as well as establish trust relationships between applications that share the same signature. Even though there are multiple versions of the APK Signature Scheme (V1 – V4), every application currently includes signature version V1 (dubbed JAR signature) to maintain backward compatibility.


Signature Verification Scheme V1

  1. Each APK contains a signature file in its META-INF/ folder.
  2. META-INF/<signer>.(RSA|DSA|EC) is the signature used to sign every file in the APK.
  3. The different RSA|DSA|EC options are for different crypto signatures, one META-INF folder might contain only one of these signatures.
  4. META-INF/ MANIFEST.MF contains a digest of signature for each file.


How does the verification process work?

  1. The process starts by searching for the signature file in the APK ZIP file within the META-INF folder.
  2. The OpenSSL is then used to extract the signature.
  3. Finally, the signatures are compared with that of the official APK and the results are returned.


Results of the Analysis

We verified around 990 third-party apps using the signature verification process. Some of the third party app stores that were analysed were allfreeapk, apkpure, apksfull, apktada.

We detected a total of 10 third-party apps that were modified or for which the signatures did not match and that contained a different code that’s different from the original APK. These are some of the apps that contained modded APKs:


App Store Name
Package Name
App Name
  3. com.gaana
  1. Picsart Photo Editor
  2. Spotify
  3. Gaana
Aptoide com.truecaller Truecaller
Apk20 com.pinterest Pinterest


Analysis of the Modded APK

  • Picsart Photo Editor 

Package name
Store Name


Vulnerabilities found 
  1. Android Fleeceware (PUA)

Apps that cajole users into buying a free trial of their services, and charges them exorbitant subscription fees once the trial period ends. Such fleeceware apps do not function unless provided with the users’ payment details. If users fall for this trick and supply their details, the app uses these details to debit the subscription fees after the trial period is over, without the consent of the user.

  1. Heur/HTML RefreshScript 

Heur/HTML.Malware is malware that is detected using a heuristic detection routine which is designed to find common malware scripts in HTML files. 


  • Spotify

Package name
Store Name


Vulnerabilities found
  1. Ewind Trojan 

The Ewind Trojan is essentially an adware that monetizes applications by displaying unwanted advertisements on the victim’s device. Adware also gathers device data and is also capable of forwarding messages to the attacker.  The adware Trojan could in fact even allow full remote access to the infected device.

  1. Riskware/Jiagu!Android

Riskware constitutes apps that are not inherently classified as malware. However, it may utilize system resources in an unexpected or annoying manner, and/ or may pose a security risk to the victim device. 


Users will notice screens similar to this one on their affected device
Users will notice screens similar to this one on their affected device


How do attackers modify official apps?

Apart from the prominent examples that we have shared above, there are quite a large number of modified apps lurking in third-party stores. And it’s only a matter of time before the next victim falls prey to one of these thousands of malicious apps. Let’s have a look at some of the methods by which attackers manage to modify official applications. 

  • Add a Debugging Flag in a Configuration File

The attacker adds “debug=true” to a .properties file in a local app, manually. The application then returns log files that are quite descriptive, upon its launch. These log files provide attackers with access to the backend systems. Which in turn enables the attacker to search for vulnerabilities within the system, so as to exploit them.

  • Code Manipulation

The attacker adds conditional jumps within the code which allows them to bypass the process of detecting a successful in-app purchase. This helps them obtain as many game artifacts and abilities as possible, without having to pay for them. The attacker may also inject spyware into the app to steal the identity of their victims. 

  • Unauthorized Access to Administrative Endpoint

An attacker could gain access to the administrative endpoint that the developers leave exposed during the process of endpoint testing. The attacker could perform string analysis of the binary to find out the hardcoded URL to the administrative REST endpoint. Followed by which the attacker could use ‘cURL’ to execute back-end administrative functions.

  • Usability Requirements

Usability requirements specify that the mobile app passwords can only be 4 digits long. Server code stores a hashed version of the password. As the password is very short, an attacker will be able to deduce the original password using rainbow hash tables. If the attacker manages to compromise the password file on the server, it could expose the user’s password.

  • Certificate inspection 

A secure channel is established when the app and the endpoint connects through a TLS handshake. If the app accepts the certificate offered by the server without inspecting it, it could disrupt the mutual authentication protocol between the endpoint and the app allowing man-in-the-middle (MiTM) attacks.

Third-party applications may thus seem innocent, but could in fact be nefarious and have grave implications on its users. However, third-party apps that are malicious can be identified with processes like signature verification. Users have to avoid or observe caution before installing apps that are not from the official app stores.

Threat actors’ next big target: VIPs, Executives, and Board members

A recently uncovered spear phishing campaign, orchestrated by the PerSwaysion group, targeting 150+ executives across the globe, is a prime example of the growing trend of concerted cyber attacks on CXOs and VIPs. This process of targeted attacks on VIPs is commonly known as Whaling. Whaling tactics are similar to general spear-phishing. But they differ in the fact that it specifically targets high-level and important individuals within an organization. 

Threat actors are slowly moving from large-scale, low-value attacks, which target a general population, to small-scale, high-value attacks, which target the key personnel of an organization. Furthermore, the Verizon 2019 Data Breach Report found that senior executives are 12 times more likely to be targets of social incidents, and 9 times more likely to be targets of social breaches. This is because high-profile personnel have exclusive clearances, privileges, and access to:

  • Confidential and sensitive information including financials, trade secrets etc. 
  • Authorize or order other employees in the organization to carry out certain tasks.
  • Valuable assets including networks, devices, and facilities. 

How do threat actors target C-level executives?

Research and reconnaissance

  • To orchestrate a typical attack, threat actors perform extensive reconnaissance and research, to understand an organization’s structure and functions.
  • Using this information, they narrow down the list of potential targets and their associates.
  • They then collect personal information about the shortlisted VIPs. Most companies publish their executives’ details on social media, news media, and their own websites. Thus, a simple Google search will give the threat actor access to this information. Moreover, the executives themselves have personal accounts on platforms such as Facebook and LinkedIn. And often, the privacy settings on these accounts are lax. 
  • They further search for exposed account credentials from previous data leaks. Given that most of us, executives being no exception, use the same password for multiple accounts, the exposed credentials can be used to gain access to the executive’s official email account.

Data theft attacks

  • Once hackers have obtained access to C-suite executives accounts, through brute-force attacks or other means, they steal valuable information. This may include client lists, customer data, financial data, internal processes, business strategy and plan, and more. 

Impersonation attacks

  • Threat actors could hijack executives’ social media accounts and post harmful messages. And, this could tarnish the reputation of the executive and their organization.  
  • Using the email access, threat actors decipher the communication frequencies and styles within the organization. For example: If there is a trail of audit related emails, threat actors can send requests for audit related details in continuation to the ongoing communication. 
  • If threats actors cannot get access to an executives’ credentials, they create fake email IDs. These email IDs closely resemble one of the executives’ email IDs or that of the HR department or Accounting department. From the fake ID they send an urgent, actionable, and believable email to a C-level executive. 

Extended attacks

  • Threat actors bank on executives having limited time, or relying on assistants, to read and respond to emails. They also ensure the emails are believable. For this, they add references to the executive’s interests and hobbies, which are gleaned from their social media profiles. The emails usually request the email recipient, who is also an executive or VIP, for sensitive information, wire transfers, or to download an attachment. 
  • If the recipient falls for the trap, they will end up revealing sensitive information or authorizing someone else to do so. They could also authorize transfers to the fake account details shared by the threat actor. A malicious attachment could drop a malware or ransomware payload in their systems. The recent PerSwaysion campaign used a fake Microsoft Outlook login page, from where they were able to collect 150+ executives’ login credentials. The credentials can be used to orchestrate other attacks or could be sold on the Dark Web, to the highest bidder.  

How to protect C-level executives from these attacks?

Given the heightened risk to VIPs, here are a few measures to combat and mitigate threats:

Continuous monitoring

Deploy a real-time monitoring tool that will scour the internet – surface web, deep web, and dark web – for potential threats.  A comprehensive SaaS platform such as CloudSEK’s XVigil tracks VIP’s personal email IDs for their presence in past security breaches. Organizations are alerted to such threats immediately, along with other significant details pertaining to the risk.

Review social media presence

Ensure the executives’ social media accounts have the highest level of privacy. Report duplicate accounts and delete dormant accounts on a regular basis. 

Multi-layered protection

Enable Multi Factor Authentication (MFA) for all their accounts, including email, company assets and network. 

Regular cybersecurity refreshers

Since threat actors are constantly changing and upgrading their whaling tactics and ruses, periodic training will help executives spot and avoid such traps. 


An attack on a VIP doesn’t just affect them personally, it also affects their organizations revenue and brand image. Threat actors could gain access to the company’s central database, and steal employee and customer details, and leak them or even sell them. It takes years of painstaking effort to build a company’s brand image, and any damage to this intangible asset can have very serious and far-reaching consequences. Hence it is important to enable processes, and tools such as XVigil, to continuously monitor and protect VIPs and their organizations. 

Top open source resources to stay vigilant against COVID-themed cyber attacks


As the coronavirus pandemic spreads rapidly across the globe, a panic-stricken populace already confined to their homes, faces the emerging threat of COVID-themed cyber attacks. The trend of recent cyber crimes indicates a spike in the number of COVID-related malicious domains, malware attacks, as well as phishing campaigns. As a result, organizations are left with the daunting prospect of securing their assets, and that of their clients, against adversaries profiting from the pandemic. Without an effective strategy, or the right intelligence, it will be impossible to ward off such attacks.

In this article, we have consolidated popular open source threat intel resources that can help you combat COVID-themed cyber attacks. These open source resources provide the latest intelligence and observations on cyber threats to alleviate the impact such attacks could have on the global community.

COVID-19 Cyber Threat Coalition

Cyber Threat Coalition (CTC)  is the result of combined efforts of around 3,000 security professionals who gather, analyse, and share intelligence pertaining to new COVID-themed threats. At present, the largest contribution of COVID-themed datasets are produced by CTC.  Moreover, they prioritize and defend essential services and the front-line medical sector, against threats. The telecommunication sector is also a part of essential services, as more people shift to remote work.

How does CTC alert organizations?

  • Typically, they examine millions of data points contributed by organizations or individuals, and run the indicators through several security products. 
  • If at least 10 of these security products identify the data point as a threat, CTC volunteers manually verify such findings and add malicious feeds to its Blocklist. If only 5-9 security product vendors identify the data point as malicious, they will be manually verified as malicious feeds before adding them to the Blocklist.
  • This Blocklist helps organizations and individuals, across the globe, block malicious traffic arising from fraudulent activities.
  • Additionally, they have a Beta MISP feed that details the various threat indicators (accessible to those who have set up MISP).

How can you contribute?

  • CTC maintains a Slack workspace, the invitation for which is available on their official website. This workspace is for researchers who may have information regarding COVID-themed cyber attacks. In addition, they also have a slack room to announce updates, and new developments: #ctc-official-announcements 
  • Their Alienvault open threat exchange (OTX) also gathers data feeds from researchers. CTC considers Alienvault OTX as their primary source of raw data feeds. They are encouraging anyone with high quality threat intel, to join this platform.  

Here is the CTC Blocklist for vetted malicious domains and IP addresses:

COVID-themed cyber attacks: Alienvault OTX group
Alienvault OTX group

COVID-19 CTI League


This is a collective of experts and Incident Responders, from across 40 countries, which gathers COVID-related threat intelligence. Senior Microsoft and Amazon officials are also part of this team. CTI League is geared towards neutralizing cyber threats against the front-line medical sector and critical infrastructure. 

How is the medical sector benefiting from the CTI League?

  • CTI accepts IR (Incident Response) requests from organizations, to detect security incidents and keep them in check. To achieve this, the CTI League connects with researchers and analysts from 22 different time zones. Volunteers help the community find the most appropriate individuals who can secure medical institutions and resources in their location.
  • They assist in taking down websites, web pages, or files from the internet, and escalate cyber attacks, malicious activities, or critical vulnerabilities, to law enforcement agencies and national CERTs.
  • They provide reliable databases, of high-priority indicators of compromise, that help the medical sector investigate and block malicious activities. 

Cyber Threat Alliance


This is a not-for-profit membership organization that focuses on phishing lures and malware attacks. They help thwart attempts to harm the medical sector, in the time of this unprecedented crisis.

What are they offering?



Phishing is the most common cyber threat. And even as the world tries to make sense of the coronavirus epidemic, scammers are busy cashing in on the fear and anxiety.  PhishLabs, a team of cybersecurity experts, combines their efforts to provide free resources of Coronavirus-related threat intelligence, with their primary focus on phishing attacks.

What have they got to offer?

Their database is updated with the latest on COVID-themed phishing email, malicious URLs, and domains. They present and share the data in a zip file containing phishing lures (as image files), and phishing URLs (in .xlsx format).

PhishLabs image files
PhishLabs image files

Checkphish: Coronavirus Scam Tracker 


Checkphish maintains a global dashboard that tracks the latest Coronavirus-themed phishing scams. The results are classified into scams and suspicious sites. Moreover, for each website, it provides scam feeds in the .tsv format.


Checkphish scam tracker feed
Checkphish scam tracker feed

The dashboard also allows you to run free URL scans to identify malicious websites. For each queried domain and the domains which are already in the list the dashboard also incorporates website screenshots, Passive DNS (of hosts and domains hosted on given IP), details of similar domains, and their WHOIS information.

COVID-themed cyber attacks: Checkphish dashboard
Checkphish dashboard



Malware Information Sharing Platform (MISP) is an open source threat intelligence platform. They provide IDS signatures for COVID-19 cyber intrusions in various formats such as: STIX, STIX2, Text, csv, etc., They also allow users to automate the process of collecting information. Researchers and interested parties are only required to send a direct message to the team to access

Events on MISP
Events on MISP
Post that directs users to a frequently updated dataset
Post that directs users to a frequently updated dataset


RisqIQ PassiveTotal offers access to RisqIQ datasets such as passive DNS, extensive DNS data, WHOIS registration details, and SSL certificate details. And, as a response to the rising number of COVID-themed cyber attacks, they also share lists of Coronavirus-related domain names that contain ‘covid’, ‘coronav’,  ‘vaccine’, ‘pandemic’, or ‘virus.’ These may or may not be malicious. To facilitate an investigation into these domains, interested analysts are allowed 30-days access to use PassiveTotal, RiskIQ’s threat research platform. 

Links to the lists of COVID-themed domain names: (consolidated list)

Covid-19 Medical Supply Scams from RisqIQ dashboard.
Covid-19 Medical Supply Scams from RisqIQ dashboard.

RisqIQ Dashboard:

Github CTI league Repo


A GitHub repository, dubbed as COVID-19-CTI-League, also shares vetted, approved IOCs of COVID-themed cyber attacks. Even though the name of the repository resembles the community CTI League (discussed earlier), they aren’t related. 

COVID-themed cyber attacks: CTI League Slack discussion  
CTI League Slack discussion

Independent Researchers And Feeds

Although we have listed out the big names in cyber security, it is important to know that there are individual researchers and cyber security bloggers committed to resolve and neutralize the attacks surfacing during the epidemic. They share their analysis and findings on social media platforms such as Twitter. Here are some of them:


Twitter user DustyFresh has set up a feed, updated every 30 seconds, which scans for new COVID-related hostnames discovered in certificate transparency logs. He uses keywords coronavirus, covid19, covid-19, covid, pandemic, etc. 

Although most of the domains in this list are considered malicious, it is upto researchers to figure this out.


Another researcher who goes by the Twitter handle @sshell_ created a real-time dashboard of malicious websites. This dashboard leverages RiskIQ’s feed (mentioned earlier) and lists COVID-themed malicious domains in real-time.

@sshell feed
@sshell feed


Independent researcher and ESET mobile malware analyst, Lukas Stefanko, tracks COVID-related malware attacks that target Android users, on a daily basis.


This is another open source threat intelligence platform that gathers Indicators of Compromise from various sources. It allows users to download data for free.


( provides free malware samples that are easily downloadable. MalwareBazaar hopes to help researchers understand malware samples and use the intelligence for further analysis. 


The official Twitter accounts of government agencies are also provide regular updates on the latest scams and scamming tactics: 


Indian Ministry of Home Affairs offers tips and advises the public on safe internet practices, through its Twitter handle @CyberDost and its official website National Cyber Crime Reporting Portal. These platforms can also be used to report any malicious cyber activity that you come across. 


This is the Twitter handle of European Union’s Agency for Law Enforcement Cooperation. Europol shares recent trends in cyber attacks and scams themed after the Coronavirus pandemic.