A fresh ransomware strain known as “[F]Unicorn” has emerged, first seen this week targeting users by pretending to be an official government COVID-19 contact tracing app.
According to an advisory from the Computer Emergency Response Team (CERT) from the Agency for Digital Italy (AgID), the malware family is taking advantage of the rollout of “Immuni” – Italy’s official coronavirus-tracking app. The beta version is rolling out across the country, which was one of the hardest-hit coronavirus hotspots; it works constantly in the background by beaconing a Bluetooth Low Energy signal to other devices. The idea is to alert users if they have been close to an infected person.
The [F]Unicorn sample (flagged for CERT by security researcher JamesWT_MHT and analyzed by Dottor Marc) is spreading as a fake Immuni app housing a malicious executable, purporting to be from the Italian Pharmacist Federation (FOFI).
“[Distribution] relied on emails informing users of a PC beta release of Immuni, Italy’s COVID-19 contact tracing app, for distribution,” explained researchers at Tripwire, in a short analysis on Wednesday. “Those attack emails leveraged typoquatting techniques to trick users into clicking on a download link for the advertised app.”
Dottor Marc’s analysis meanwhile noted that the email invites the user to download the infected file from the www[.]fofl[.]it site, “which is nothing more than the identical copy of the official website of the FEDERAZIONE ORDINI FARMACISTI ITALIANI made on 3 May 2020.” Researchers there also noted that this particular download site has been blocked by the hosting service.