SEARCH

FOR IMMEDIATE RELEASE Monday, March 23, 2020

U.S. Attorneys » Eastern District of California » News

Department of Justice

U.S. Attorney’s Office

Eastern District of California

United States Attorney Shares Tips for Avoiding COVID-19Scams

SACRAMENTO, Calif.—Today, U.S. Attorney McGregor W. Scott warned of several new fraud schemes

seeking to exploit the evolving COVID-19 (Coronavirus) public health emergency often targeting

vulnerable populations.

Scammers have already devised numerous methods for defrauding people in connection with COVID-19.

They are setting up websites, contacting people by phone and email, and posting disinformation on social

media platforms. Some examples of scams linked to COVID-19 include:

Testing scams: Scammers are selling fake at-home test kits or going door-to-door performing faketests for money.Treatment scams: Scammers are offering to sell fake cures, vaccines, and advice on unproventreatments for COVID-19.Supply scams: Scammers are creating fake shops, websites, social media accounts, and emailaddresses claiming to sell medical supplies currently in high demand, such as surgical masks.When consumers attempt to purchase supplies through these channels, fraudsters pocket themoney and never provide the promised supplies.Provider scams: Scammers are contacting people by phone and email, pretending to be doctorsand hospitals that have treated a friend or relative for COVID-19, and demanding payment for thattreatment.Charity scams: Scammers are soliciting donations for individuals, groups, and areas affected byCOVID-19.Phishing scams: Scammers posing as national and global health authorities, including the WorldHealth Organization (WHO) and the Centers for Disease Control and Prevention (CDC), aresending phishing emails designed to trick recipients into downloading malware or providingpersonal identifying and financial information.App scams: Scammers are creating and manipulating mobile apps designed to track the spread

HOME ABOUT NOTEWORTHY CASES CAREERS VICTIM INFORMATION PROGRAMS

EN ESPAÑOL

1 of 3 3/27/2020, 7:07 AM

of COVID-19 to insert malware that will compromise users’ devices and personal information.Investment scams: Scammers are offering online promotions on various platforms, includingsocial media, claiming that the products or services of publicly traded companies can prevent,detect, or cure COVID-19, and that the stock of these companies will dramatically increase invalue as a result. These promotions are often styled as “research reports,” make predictions of aspecific “target price,” and relate to microcap stocks, or low-priced stocks issued by the smallest ofcompanies with limited publicly available information.

The U.S. Attorney’s Office urges Californians to take the following precautionary measures to protect

themselves from known and emerging scams:

Independently verify the identity of any company, charity, or individual that contacts you regardingCOVID-19.Check the websites and email addresses offering information, products, or services related toCOVID-19. Be aware that scammers often employ addresses that differ only slightly from thosebelonging to the entities they are impersonating. For example, they might use “cdc.com” or“cdc.org” instead of “cdc.gov.”Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 orrequesting your personal information for medical purposes. Legitimate health authorities will notcontact the general public this way.Do not click on links or open email attachments from unknown or unverified sources. Doing socould download a virus onto your computer or device.Make sure your computer’s anti-malware and anti-virus software is operating and up to date.Ignore offers for a COVID-19 vaccine, cure, or treatment. Remember, if there is a medicalbreakthrough, you won’t hear about it for the first time through an email, online ad, or unsolicitedsales pitch.Check online reviews of any company offering COVID-19 products or supplies. Avoid companieswhose customers have complained about not receiving items.Research any charities or crowdfunding sites soliciting donations in connection with COVID-19before giving. Remember, an organization may not be legitimate even if it uses words like “CDC”or “government” in its name or has reputable looking seals or logos on its materials. For onlineresources on donating wisely, visit the Federal Trade Commission (FTC) website.Be wary of any business, charity, or individual requesting payments or donations in cash, by wiretransfer, gift card, or through the mail. Don’t send money through any of these channels.Be cautious of “investment opportunities” tied to COVID-19, especially those based on claims thata small company’s products or services can help stop the virus. If you decide to invest, carefullyresearch the investment beforehand. For information on how to avoid investment fraud, visit theU.S. Securities and Exchange Commission (SEC) website.For the most up-to-date information on COVID-19, visit the Centers for Disease Control andPrevention (CDC) and World Health Organization (WHO) websites.

On March 23, U.S. Attorney Scott announced the appointment of a COVID-19 fraud coordinator to lead

investigations into known and suspected occurrences of financial fraud related to the nation’s ongoing

public health emergency.

If you think you are a victim of a scam or attempted fraud involving COVID-19, you can report it without

leaving your home though a number of platforms. Go to:

Contact the National Center for Disaster Fraud Hotline at 866-720-5721 or via emailat disaster@leo.govReport it to the FBI at tips.fbi.govIf it’s a cyber-scam, submit your complaint through https://www.ic3.gov/default.aspx

2 of 3 3/27/2020, 7:07 AM

The U.S. Attorney’s Office COVID-19 fraud coordinator will be notified of tips submitted via the above

reporting method.

Topic(s):

Coronavirus Fraud

Component(s):

USAO - California, Eastern

Updated March 23, 2020

3 of 3 3/27/2020, 7:07 AM

U.S. Department of Justice

Office of the Deputy Attorney General

The Deputy Attorney General Washington, D.C. 20S30

March 24, 2020

TO: MEMORANDUM FOR ALL HEADS OF LAW ENFORCEMENT COMPONENTS, HEADS OF LITIGATING DIVISIONS. AND UNITED STATES ATTORNEYS

FROM: THE DEPUTY ATIORNEY GENERAL~

SUBJECT: Department ofJustice Enforcement Actions Related to COVID~ 19

As you know. we have seen an unfortunate array ofcriminal acti vity related to the ongoing COVID~19 pandemic. Capitalizing on this crisis to reap illicit profits or othe1wisc preying on Americans is reprehensible and will not be tolerated. I am issuing this Memorandum to inform you of the sorts of schemes that have been reported. to identify certain authorities that I am directing you to consider deploying against these schemes, and to emphasize the importance of state and local coordination during this difficult time.

I. REPORTED SCHEMES RELATED TO COVID~19

To date, the U.S. Attorney's Offices have received reports of individuals and businesses engaging in a wide range offraudulent and criminal behavior. This includes:

• Robocalls making fraudulent offers to sell respirator masks with no intent ofdelivery;

• Fake COVID-19-related apps and websites that install malware or ransomware;

• Phishing emails asking for money or presenting malware;

• Social media scams fraudulently seeking donations or claiming to provide stimulus funds ifthe recipient enters his or her bank account number;

• Sales of fake testing kits. cures, " immunity" pills, and protective equipment;

• Fraudulent offers for free COVID=19 testing in order to obtain Medicare beneficiary information that is used to submit false medical claims for unrelated, unnecessary, or fictitious testing or services;

• Prescription drug schemes involving the submission of medical claims for unnecessary antiretroviral treatments or other drngs that are marketed as purported cures for COVID-19;

Memorandum from the Deputy Attorney General Page2 Subject: Department of Justice Enforcement Actions Related to COVID-19

• Robberies ofpatients departing from hospitals or doctor offices;

• Threats ofviolence against mayors and other public officials; and

• Threats to intentionally infect other people.

You should be on the lookout for these sorts of schemes, as well as any others like them.

II. SPECIFIC AUTHORITIES TO PUNISH WRONGDOING RELATED TO COVID-19

Consistent with the Attorney General's March 16 Memorandum, I am directing your Offices to focus your attention on the following categories of offenses that may be relevant to the kinds ofpandemic-related crimes we have seen reported.

First, we know that there are individuals and businesses taking advantage of the COVID-19 crisis to engage in fraudulent or otherwise illegal schemes. Depending on the specific facts, these acts may violate any number of provisions in Title 18. See, e.g., 18 U.S.C. § 1341 (mail fraud); id. § 1343 (wire fraud); id. § 1030 (computer fraud); id. § 1347 (healthcare fraud); id. § 1349 (conspiracy to commit fraud); id. §§ 1028-1028A (identification fraud and aggravated identity theft); id. § 1040 (fraud in connection with major disasters and emergencies); id. § 2320 (trafficking in counterfeit goods).

Moreover, the sale offake drugs and cures may be prohibited under Title 15, see 15 U.S.C. § 1263(a) (introduction of misbranded or banned hazardous substances into interstate commerce), constitute a violation of the Food, Drug, and Cosmetic Act, see 21 U.S.C. § 333 (introduction of misbranded or adulterated drug or device into interstate commerce), or constitute a violation ofthe Consumer Product Safety Act, see 15 U.S.C. § 2068 (sale, manufacture, distribution, or import of a consumer product or other product that is not in conformity with consumer-product-safety regulations).

Second, you may encounter criminal activity ranging from malicious hoaxes, to threats targeting specific individuals or the general public, to the purposeful exposure and infection of others with COVID-19. Because coronavirus appears to meet the statutory definition of a "biological agent" under 18 U.S.C. § 178(1), such acts potentially could implicate the Nation's terrorism-related statutes. See, e.g., id. § 175 (development/possession of a biological agent for use as a weapon); id. § 875 (threats by wire); id. § 876 (threats by mail); id. § 1038 (false information and hoaxes regarding biological weapons); id. § 2332a (use of a weapon involving a biological agent). Threats or attempts to use COVID-19 as a weapon against Americans will not be tolerated.

Third, individuals or businesses may be accumulating medical supplies or devices beyond what they reasonably need on a daily basis, or for the purpose of selling them in excess of prevailing market prices. As discussed in a memorandum issued by the Attorney General today, it is illegal to acquire medical supplies and devices designated by the Secretary of Health and Human Services (HHS) as scarce in order to hoard them or sell them for excessive prices. Such conduct may be prosecuted under the Defense Production Act. See 50 U.S.C. §§ 4512, 4513.

Memorandum from the Deputy Attorney General Page 3 Subject: Department of Justice Enforcement Actions Related to COVID-19

Although no items have yet been designated, the Department will work closely with the HHS Secretary in connection with that process in the days ahead. Your Offices should coordinate with the newly constituted task force led by Craig Carpenito, the United States Attorney in the District ofNew Jersey, when investigating and prosecuting this conduct.

Finally, conspiracies between individuals or businesses to fix prices, rig bids, or allocate markets with respect to COVID-19 materials are prosecuted criminally under the federal antitrust laws. See 15 U.S.C. § I. Monopolization or anticompetitive agreements related to critical materials needed to respond to COVID-19 can be pursued civilly under the Sherman and the Clayton Antitrust Acts. See, e.g., 15 U.S.C. § I (anticompetitive agreements); id. § 2 (monopolization); id.§ 14 (exclusive dealings). And when the United States is injured as a result of those practices, the government may bring suit to recover its damages. See id. § 15a ( damages actions when the government is the victim).

The legal authorities set forth above are not an exhaustive list, and there may be situations where other authorities could be applied. You are encouraged to consult with either Adam Braverman or William Hughes in my office if a COVID-19-related issue warrants consideration ofother authorities.

III. STATE AND LOCAL COORDINATION

While the Department of Justice is the world's premier law enforcement institution, we cannot protect the public from these schemes alone. Your Office is thus encouraged to work closely with state and local authorities to ensure both that we hear about misconduct as quickly as possible and that all appropriate enforcement tools are available to punish it.

We have also publicized a hotline for individuals to report coronavirus-related complaints - The National Center for Disaster Fraud (NCDF) Hotline - 1-866-720-5721 or disaster@.leo.gov. I remind you to consult, as needed, with the Civil Division's Consumer Protection Branch (Gus Eyler), the Criminal Division's Fraud Section (John Cronan), and the Antitrust Division (Richard Powers) for additional guidance on how to detect, investigate, and prosecute these schemes.

We must do the best we can to protect Americans' rights and safety in this novel and troubling time. I thank you all for your service to this country.

March 24, 2020

MEMORANDUM FOR ALL HEADS OF DEPARTMENT COMPONENTS AND LAW

ENFORCEMENT AGENCIES

ALL UNITED STATES ATTORNEYS

FROM: THE ATTORNEY GENERAL

SUBJECT: Department of Justice COVID-19 Hoarding and Price Gouging Task Force

Thank you again for your tremendous service to our nation during the present crisis. Each

week brings new challenges, but I am confident that the Department of Justice will continue to

perform its critical mission during these difficult times. Last week, I addressed a number of early

reports concerning criminals seeking to exploit the current panic and economic dislocation. I am

now issuing this Memorandum to advise you of a recent Executive Order signed by the President

that is relevant to our work, and to direct the creation of a task force charged with addressing

hoarding and price gouging associated with the Coronavirus (COVID-19) pandemic.

I. AUTHORITIES TO PUNISH WRONGDOING RELATED TO COVID-19

To protect the safety and security of our nation during the current crisis, the Department

must remain vigilant in deterring, detecting, investigating, and prosecuting wrongdoing related to

the COVID-19 pandemic. While this crisis has brought out the best in most Americans, there

appear to be a few unfortunate exceptions. We will not tolerate bad actors who treat the crisis as

an opportunity to get rich quick.

We are beginning to receive reports of individuals using the crisis to hoard vital medical

items and then make inappropriate, windfall profits at the expense of public safety and the health

and welfare of our fellow citizens. Hoarding and price gouging activities inhibit the government,

health care professionals, and the public from implementing critical measures to save lives and

mitigate the spread of the virus. These practices also make it harder for our healthcare providers

and first responders to resist the spread of COVID-19.

Memorandum from the Attorney General Page 2

Subject: Department of Justice COVID-19 Hoarding and Price Gouging Task Force

Yesterday, the President gave us another tool to fight misconduct by issuing an Executive

Order pursuant to section 102 of the Defense Production Act, which prohibits hoarding of

designated items. The order authorizes the Secretary of Health and Human Services (“HHS”) to

protect scarce healthcare and medical items by designating particular items as protected under the

statute. Once an item is designated, the statute makes it a crime for any person to accumulate that

item either (1) in excess of his or her reasonable needs or (2) for the purpose of selling it in excess

of prevailing market prices. See 50 U.S.C. §§ 4512, 4513. We will work closely with the HHS

Secretary as he designates scarce items. And where appropriate, the Department will investigate

and prosecute those who acquire vital medical supplies in excess of what they would reasonably

use or for the purpose of charging exorbitant prices to the healthcare workers and hospitals who

need them. We will also work closely with the Administrator of FEMA in exercising his authority

under the Stafford Act to seize necessary healthcare and medical items, where appropriate, and to

redeploy them to the people who need them most.

This does not mean that the Department will pursue regular Americans who are stocking

up on the necessities of daily life or businesses acquiring materials reasonably needed for their

own use. Nor will we take action against the manufacturers or suppliers who are working with the

government and with healthcare providers in an effort to combat this crisis. But we will

aggressively pursue bad actors who amass critical supplies either far beyond what they could use

or for the purpose of profiteering. Scarce medical supplies need to be going to hospitals for

immediate use in care, not to warehouses for later overcharging.

II. COVID-19 HOARDING AND PRICE GOUGING TASK FORCE

During this crisis, we must marshal our resources to protect the American people.

Accordingly, I am directing the immediate creation of a task force to address COVID-19-related

market manipulation, hoarding, and price gouging. The task force will develop effective

enforcement measures, best practices, work closely with HHS as they designate particular items

and equipment, and coordinate nationwide investigation and prosecution of these illicit activities.

The task force will be led by Craig Carpenito, the United States Attorney in the District of New

Jersey, with assistance as needed from the Antitrust Division’s Criminal Program. Each United

States Attorney’s Office, as well as relevant Department components, are directed to designate an

experienced attorney to serve as a member of the task force.

We must do the best we can to protect Americans’ rights and safety in this novel and troubling time. I thank you all for your service to this country.

law.com

By Michael E. Clark and Matthew S. Chester | March 24, 2020 at

10:38 AM

7-9 minutes

1 of 6 3/27/2020, 7:40 AM

2 of 6 3/27/2020, 7:40 AM

3 of 6 3/27/2020, 7:40 AM

4 of 6 3/27/2020, 7:40 AM

5 of 6 3/27/2020, 7:40 AM

6 of 6 3/27/2020, 7:40 AM

law.com

By Ryan McConnell and Matthew Boyden | February 28, 2020 at

09:43 AM

6-7 minutes

1 of 6 3/27/2020, 7:33 AM

2 of 6 3/27/2020, 7:33 AM

3 of 6 3/27/2020, 7:33 AM

4 of 6 3/27/2020, 7:33 AM

5 of 6 3/27/2020, 7:33 AM

6 of 6 3/27/2020, 7:33 AM

blog.talosintelligence.com

16-21 minutes

By Nick Biasini and Edmund Brumaghin.

Coronavirus is dominating the news and threat actors are taking

advantage.

Cisco Talos has found multiple malware families being distributed with

Coronavirus lures and themes. This includes emotet and several RAT

variants.

Using the news to try and increase clicks and drive traffic is nothing new

for malicious actors. We commonly see actors leveraging current news

stories or events to try and increase the likelihood of infection. The

1 of 15 3/27/2020, 6:52 AM

biggest news currently is focused on the new virus affecting the world,

with a focus on China: the coronavirus. There are countless news articles

and email-based marketing campaigns going at full throttle right now, as

such, we wanted to take a deeper look at how this is manifesting itself on

the threat landscape.

Our investigation had several phases, first looking at the email based

campaigns then pivoting into open-source intelligence sources for

additional samples. These investigations uncovered a series of

campaigns from the adversaries behind Emotet, along with a series of

other commodity malware families using these same topics as lures, and

a couple of odd documents and applications along the way. What was

also striking was the amount of legitimate emails containing things like

Microsoft Word documents and Excel spreadsheets related to the

coronavirus. This really underscores why using these as lures is so

attractive to adversaries and why organizations and individuals need to

be vigilant when opening mail attachments, regardless of its origins.

What's new? Malware authors and distributors will go through any

means necessary to achieve success and generate revenue and this is just

the latest example. These lures tied to coronavirus are likely to only

increase in volume and variety as the virus continues to spread and

dominate the headlines.

How did it work? The majority of these campaigns were driven

through email and malspam specifically. These actors would send

coronavirus themed emails to potential victims and, in some cases, use

filenames related to coronavirus as well, enticing victims to click

attachments. One of the reasons this was so effective was the large

amount of legitimate email related to coronavirus that also included

attachments.

So What?

2 of 15 3/27/2020, 6:52 AM

Organizations need to realize that attackers are going to use current

events to try and get victims to open attachments or click links. You

should be prepared and vigilant in identifying these emails and ensuring

they don't make it to your users inboxes.

There is a wide variety of threats represented here so there isn't one

single threat to be concerned with, just realize there will likely be a lot

more.

It's not just malicious content, there are a lot of weird executables and

other files floating around that are coronavirus-themed and are

unwanted, albeit not inherently malicious.

During our analysis of email telemetry, we identified several malicious

spam campaigns leveraging news related to coronavirus to entice

potential victims to open attachments and initiate various malware

infections. Several malware families are currently being distributed via

these malspam campaigns including Emotet, Nanocore RAT, and various

trojans.

Emotet

Emotet is one of the most prevalent malware families being actively

distributed. We have previously analyzed this threat in various posts,

notably here and here. Emotet distribution campaigns are commonly

observed attempting to integrate current news topics of interest in their

distribution campaigns and the current interest in CoronaVirus is no

different. It has been previously reported that Emotet has been making

use of this theme in various email distribution campaigns, which we have

also observed. As previously described, these emails typically contain

malicious Microsoft Word documents that function as downloaders for

the Emotet malware.

3 of 15 3/27/2020, 6:52 AM

An example of one of the malicious Word documents is below. As usual

with these sort of attachments, users are prompted to Enable Editing and

Enable Content, granting the attacker the ability to execute code on the

endpoint to facilitate the delivery and execution of Emotet, thus infecting

the system.

Over the course of the past few weeks, we have observed large quantities

4 of 15 3/27/2020, 6:52 AM

of messages featuring this and similar themes being used to spread

Emotet to victims.

Nanocore RAT

It is important to note that Emotet is not the only malware family

currently being distributed using coronavirus-themed malspam

campaigns. We have also observed Nanocore RAT being distributed

using similar types of email-based malware distribution campaigns.

Nanocore RAT is a remote access trojan (RAT) that is commonly

distributed by various threat actors. RATs are one of the more common

threats we see delivered on the threat landscape. These malware families

typically provide the attacker with remote access into the system and the

ability to grab things like keystrokes, files, webcam feeds, and download

and execute files. During our investigation we did find a campaign

delivering Nanocore, one of these RATs. The campaign was a notification

to customers around the status of the coronavirus and the steps they are

taking as an organization, as is shown below.

5 of 15 3/27/2020, 6:52 AM

As you can see, the email came with a ZIP file attached, which contained

a PIF executable. Once the victim executed the file, Nanocore RAT was

installed on the system, giving the adversaries remote access.

Other campaigns

We did find at least one other campaign that was ongoing, but at the

time of discovery the command and control (C2) servers were down and

final payload retrieval wasn't possible, but the malicious intent was clear.

This started like many of the other campaigns with a coronavirus theme.

6 of 15 3/27/2020, 6:52 AM

This particular email was notifying customers of a delay in shipping due

to coronavirus and attached a .pdf.ace invoice file. Inside the compressed

archive was an executable purporting to be a signed order confirmation.

Upon execution, additional data was attempted to be retrieved but due to

the server being down, it is not possible to identify the final payload as of

the time of publishing.

In addition to email campaigns leveraging coronavirus, we also analyzed

various open-source malware repositories in an attempt to identify

additional malware making use of the disease. We discovered several

examples of malware that had been submitted to the repositories

including adware, wipers, and other various trojans.

Parallax RAT

During our open-source investigation, we came across a sample aptly

named "new infected CORONAVIRUS sky 03.02.2020.pif." This file was

likely delivered as an attachment to an email in some sort of compressed

archive. Upon execution, the RAT is installed and persistence is achieved

by creating links in the user's startup folder, as well as the creation of

several scheduled tasks, and establishing command and control

communications with a dynamic DNS provider domain, which is fairly

common with RAT distribution.

Parallax is another RAT not much different from the nanocore campaign

we found above. It has the same basic functionality and allows the

attacker the ability to upload and download files as well as grab things

like keystrokes and screen captures.

7 of 15 3/27/2020, 6:52 AM

During the course of the investigation, we came across several samples

that appeared to be malicious and were tagged as malicious in various

engines but were, in fact, odd jokes or non-malicious content, including a

fake wiper. This file was found with the suspicious filename of

"CoronaVirus.exe" of which there were many. This particular one

immediately appeared to lock the screen upon execution.

The rough translation of the text displayed to the user is "Deleting all

files and folders on this computer - Coronavirus." Upon completion of

the counter, the button at the bottom became clickable, and when

clicked, displayed the following message:

8 of 15 3/27/2020, 6:52 AM

This says it is a joke and the user can press Alt + F12 to exit. If the user

pushes these buttons, it drops you back at the desktop. Upon further

analysis, it does not appear there were any other malicious actions taken.

This is just one of several odd examples found in our research including

another joke game written in VBS and an odd executable wrapper of a

well-known outbreak map for coronavirus. None of these files were

malicious but did take actions that could be viewed as malicious, as such,

we have seen many antivirus vendors detect these as malicious

executables. At the very least, they are unwanted applications, albeit not

inherently malicious.

One additional malware sample we discovered was a wiper designed to

destroy infected systems. It was initially submitted to various malware

repositories with the filename "冠状病毒.exe" which translates to

"coronavirus." The malware, when executed on systems, uses several

techniques to delete data from both the file system and registry in an

attempt to disrupt system operations. For example, we observed the

malware invoking the Windows Command Processor and using the "rd"

Windows command to iterate through the directory structure of the C:\,

deleting the contents:

9 of 15 3/27/2020, 6:52 AM

It is important to note that there is no prior attempt to copy, exfiltrate, or

save a copy of the contents and the malware does not appear to make any

attempt to extort victims or otherwise generate revenue for the malware

author.

Malicious actors are always going to do whatever they can to increase

infection rates and in turn increase revenue, this includes using the news

and fear to achieve their goals. This is one of the cases where both news

and fear can be used. In a world where threats like Emotet are stealing

emails and replying in-line users need to be increasingly skeptical of all

attachments regardless of source. These attacks can be seen in an email

thread with a colleague or friend and, in some cases, may come directly

from that colleague or friend. Additionally, anything news related should

be treated with a little extra skepticism, go out and do your own research

instead of just clicking links and opening documents that are sent your

way.

10 of 15 3/27/2020, 6:52 AM

Ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the

execution of the malware detailed in this post. Below is a screenshot

showing how AMP can protect customers from this threat. Try AMP for

free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web

scanning prevents access to malicious websites and detects malware

used in these attacks.

Email Security can block malicious emails sent by threat actors as part of

their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW),

Next-Generation Intrusion Prevention System (NGIPS), Cisco ISR, and

Meraki MX can detect malicious activity associated with this threat.

Threat Grid helps identify malicious binaries and build protection into

all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from

connecting to malicious domains, IPs, and URLs, whether users are on

or off the corporate network.

Additional protections with context to your specific environment and

threat data are available from the Firepower Management Center.

11 of 15 3/27/2020, 6:52 AM

Open Source Snort Subscriber Rule Set customers can stay up to date by

downloading the latest rule pack available for purchase on Snort.org.

Hashes (SHA256)

345d8b4c0479d97440926471c2a8bed43162a3d75be12422c1c410f5ec90acd9

(Parallax RAT)

Adde95e8813ca27d88923bd091ca2166553a7b904173ef7a2c04bb3ddf8b14a9

(Wiper)

C57fa2a5d1a65a687f309f23ca3cfc6721d382b06cf894ee5cd01931bbc17a46

(Nanocore)

Emotet Maldocs (SHA256)

006dc4ebf2c47becdc58491162728990147717a0d9dd76fefa9b7eb83937c60b

0a84308348fee6bbfe64a9ef23bb9c32cb319bcdf5cf78ddfda4a83dadea4b8e

0a8aa3f413a8989bb89599dfc2404f7d34dfbb2e3ce26e900d228e9e8c8908b8

0fdc97da1c297e6fef93910008fc5c47cbdcd3e2987bc163467b34f56de112ff

11b4519b76957b0758381f8e19c5e15d8744f7974716642aeb586c615dde38fa

140da6b610a45f84c6438207ab11942d79eb37831551810f87baae80cfff4593

1c3532d143212078e204d0f81a782deacd58e8f0e7253472e0509491fd1e5201

1e4b01e3e146ff01a3782b01680a5165432af556331d599ec6ad35b4983b216f

2037c7cc809ed3eddd1338d2bec6266cdb449dbf8ff3510fd360a08d229d4f40

21182b7834a7e13033be7b370a68b3d3639f4cae12fe80e2a908404cbd4cd324

2437ef90b60cf3d6bd0c3eebf3f41ed1e403bc31b024b52b0f41ec648d80a583

257afe9f4d7b282b1c0b2f3ebb7e1e80e96c8e0214f1b80ea2b7b636a4e7747d

2bcd35bfb7e4dbdbbf64fce5011199947794425093be7bc74829bfeadb89f0a3

2c9c1e04d806ad8890dd6bf4477efb4ea6c78b8185a9996876bcaea568a04e70

2e47f37bef4dea338e366ce30fe54888e5aaa2d47a5c0db4a3c3e9e5c25f8ace

2f3ee4688a31c8d249b8426f46e392d9c55b85bfad9fb31fb362eb32d38bd9b3

31cb82cd750af6af9ecf369fd26d47dc913f6b56be6ea12b10fe6dd90ef1b5df

12 of 15 3/27/2020, 6:52 AM

32753598f94412fe3dc382dc12dcf2edf7881d9f07814c82aeec36481b9362b5

3386dc7dc67edd5e84244376b6067e3767e914a1cc1fc7fd790a6aa68750a824

37354a04f6d423809602e198e590469173cc8e930cc7fdd4da2c2072977251e9

3981d933de93f55641fdf8cfe980e40a0bf52ce8b022735e8ebc4f08cbb19104

39c17475bdb019010453085830e7f8aa1ef41ca182982491306fcf75166b8e08

3a7a8518b41dd6c05289a08974c95a0038be4e5d1b0588edfd0589fcf22b0c8f

3cd099efe4cb426fdc6276380c224b5478d0841c5c44d2c0a088d039d529d258

3fc33b537fb38e1f586ddb3ebbbe152458dcde336c2f26da81d756e290b5ef00

46f81af256c630969f55554ea832037bc64df4374ec0f06ac83a1c4b89869314

49cfa1b3cbe2bf97079c0dd0a9f604e3f2e7d9fbb6d41128a9889e068aa884f6

4a272dd4a5c6261e983d667dd676875054dd4a4ea11620f16c553fcfd2c44861

501cc107e410b245d1b95b64ae0afdae758375b4b3724acfda44041bad963232

50a3bea4b9686bcf5cac144d4fc18aa178f66c8368205f9065cd1d9a2c41f026

51f0e9b151bde97ebeb813d6eed8a11f02551a6530049f53dc29fc1a20b6699d

587840d28f2585dd5207731d7fda86a0966c82fa592a26f9148b2de45526db55

5b7db5046ba22a6242d5ff6e8f538ad43bba53810117d5eb8f023215aad26e6b

5e20a0ab563950eab76c023101b1dd374becac2a5149a74320b23b59a7f16256

698eb726345c71eca7b4a531bfa76ab6e86ef100f943a727fb5866a84ec79289

6c34cca35d98e464c2f74abd9be670c7f8f707f37cd3f0fd4746c49f8fcf6b07

722a60dfd59a595daa487f2fb759ef6f9ccaabcdf20605d5ae9450cba4a9b9b2

78cf7ea3c1da98941e164f4ac3f75b57e9bce11467bc5a6c6877846f1adcf150

7a97fc7bdd0ad4ef4453c2e52dd8f44dee9b4e91ff3b5518e311ef1ebac3b667

7a9f249978c959e1f11f2992a8ce4a70ba333c8dbdc2638c780bbbe62de4808e

7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732

7cf8f24d7e8b1e2f63bfa7a18cd420a03fff44126e80aed8cb90fba3c4e986ac

80ee20c604d5d4b51a30dc21da271651f3c085c40281e3ff3e2ee0175d2ca98d

80f8877406e899c6274331aa991b8d1f4f087e3233c36d39fbaebb729c294899

89a0147dec8d6838f14815b577ae41dbcf54953c66e7f5f999ab91fea6ec08fa

8a724fc60bde738694779751d6c63a7ed1caa03518b8f26b9acb36d5c1b29930

8c0a8d6876a6c7fe44962883561d9f48615ee67f4544872ec98f47edcf516509

8f91d27d3a59c08ab4c453b2679f4620696ba67c56280a4c3757368acb20aad3

13 of 15 3/27/2020, 6:52 AM

90c3d8d13ea151bce21a1f4b842d0ed4eaff09842b23311b2326cf63957fc2b2

92af9c8c539ff9f99f79cce8453b1c483d117c095e2e0ffe384d96e35f72dc8b

9367f3ea7460ae40ca69d41398327f97136a93656ef5fad1285a0b82f81522a4

980de93ad93ecaabc048c9fcc9d62e43eeb32f216c4177963cf1bd94ad53074b

9d58ca5383fef5dc837ca9d4251d247bed4ead4a6b90a9aae30568be80e20543

9e4cb963e509fbde6de003a81a3e19cfc703be1c41d20f4b094a0fa89d6ad02c

9f27a826b4b873c9ea23e023f54d5291a50004d67dd5fe64d1f8c8e8b51b74e3

a080d763c60efd4ef2781ad3090c997d1092ac726707366d92d647f26ee2965f

a286e3be694b9525530ec6a65b71a8a91e04042c3471e8a9e440f503fe8ce995

a537c75de9a95be0c071fd6437cbaf3696752f02c3cd5afa1c9cc47c4c755f75

aa6ceb17ced471e1695c99c0718bc24c710311f0daa256cb0783d82218d772c9

ac416780fa4aa340fff2787e630351c5813faceb823424817eb10e82254b785d

b04584ee8b3ba565541cb0f4d8787ed6e8942b6bdec5b1acdc03488b93aeb3cb

b14d70827d5d668aeb31e94be512fea9fb38ead8ec12cdf7617616801c76b6e9

b283e4f841e328f0cc12ebdf76aafb819ebadba7df863681994b69697731cf96

b34f4ec4ae8d66b030f547efe3acc2a71c9ab564f78aac68719ec91dab613bb3

ba4297978b6a6b5fe2b66c32ead47bbd1f2e2f549beed5cd727eb9ae3fed6b6a

bdcef0f16c70086414ff95b69fdbbe7eb0c9814308d3d60143b6c04dfc077257

bf178911f2c063c9592020652dc22076d02ca87d14a7ed7862074d334470ae32

c135f36d3346699e6d2bf9f5f5f638fd9475c0b12144a15a0652b8f1ebb25c12

c6dc408d60c2354a13e835bf826300a6d5258b72b8826e8c46d946cbc1f0b455

c9d3c250ab6d8535b7a4114a1e9545f0b9bc24e4e277640c59b7555f38727885

cba1c3070f76e1a2705afee16bd987b6a8ffa45900cab8cf3b307f60a7b89ac9

cc2507ddd53a6f00265f3be51d7217def786914bd1d700ec3c74a2a7107b3476

d765980228492758a11e534e45924311aef681cb5859f701cd457b6b871c2d06

d8183919d675978d58cd1f134768f88adeea9ce53b167c917e54fff855c6d9f9

da87521ecc146a92a7460a81ebb5ca286450f94c8c9af2a4b3c6c8a180d421c5

dbcef5c217a027b8e29b1b750c42a066650820a129543f19364bcb64ac83bc07

dc66811ce189240c510733be9e1a2175079dddb80ebf02faaa044fce1f7134d0

e17dca7c2c05139fc81302e76e0e9aaa29368b60cb147208cbcb5c8df113f6f6

e250d977e47e7809086dd35a2767f9ef557591dd00e9ce96ef4071e4f0d8c670

14 of 15 3/27/2020, 6:52 AM

e32cca6446f2ddd8430400b16fc171ab3163cf8222669d7d9144e9c85904d5f5

e382ee1ce9d99f4e8e18833bac121c14ee2e5dc29a8b5382ca5b4eda9db7f1aa

e55efa92d87484cf6b251f2302a0c0c7650acd7ea658bf9997bf761b64fe472a

e8221acccdb8381b5da25a1f61f49dda86b861b52fafe54629396ed1e3346282

ea3a0a223474592635d1fb7a0731dd28a96381ad2562e3e064f70e2d4830c39d

eab14b1bfa737644f14f7bb7ace007d418230285364e168e35bd718a6517b316

f2a2bea86ce1a4803345b4aa46824c25d383a0b40b10bb69e528c72305552a2a

f6879431b901df789082452c1c4ffa29e857d247886e421df6dda5fb3d81ca5e

f7209d1099c75acccbef29450271d821fd78ad52176f07aa8a93a9e61e9eaa7f

Domains

vahlallha[.]duckdns[.]org

15 of 15 3/27/2020, 6:52 AM

never ask for your username or password to access safety informationnever email attachments you didn’t ask fornever ask you to visit a link outside of www.who.int never charge money to apply for a job, register for a conference, or reserve a hotelnever conduct lotteries or offer prizes, grants, certificates or funding through email.

COVID-19 Solidarity Response Fund

Criminals are disguising themselves as WHO to steal money or sensitive information. If you are

contacted by a person or organization that appears to be from WHO, verify their authenticity before

responding.

The World Health Organization will:

The only call for donations WHO has issued is the COVID-19 Solidarity Response Fund, which is linked

to below. Any other appeal for funding or donations that appears to be from WHO is a scam.

Beware that criminals use email, websites, phone calls, text messages, and even fax messages for their

scams.

You can verify if communication is legit by contacting WHO directly.

1 of 3 3/27/2020, 6:37 AM

Contact WHOReport a scam 

give sensitive information, such as usernames or passwordsclick a malicious linkopen a malicious attachment.

Phishing: malicious emails appearing to be from WHO

WHO is aware of suspicious email messages attempting to take advantage of the COVID-19 emergency. Thisfraudulent action is called phishing.

These “Phishing” emails appear to be from WHO, and will ask you to:

Using this method, criminals can install malware or steal sensitive information.

How to prevent phishing:

1. Verify the sender by checking their email address.  

Make sure the sender has an email address such as ‘person@who.int’ If there is anything other than‘who.int’ after the ‘@’ symbol, this sender is not from WHO.  

For example, WHO does not send email from addresses ending in ‘@who.com’ , ‘@who.org’ or ‘@who-safety.org’.

2. Check the link before you click.  

Make sure the link starts with ‘https://www.who.int’.  Better still, navigate to the WHO website directly,by typing ‘https://www.who.int’ into your browser.

3. Be careful when providing personal information. 

Always consider why someone wants your information and if it is appropriate. There is no reason someonewould need your username & password to access public information.

4. Do not rush or feel under pressure. 

Cybercriminals use emergencies such as 2019-nCov to get people to make decisions quickly. Always taketime to think about a request for your personal information, and whether the request is appropriate.

2 of 3 3/27/2020, 6:37 AM

Report a scam 

5. If you gave sensitive information, don’t panic.  

If you believe you have given data such as your username or passwords to cybercriminals, immediatelychange your credentials on each site where you have used them.

6. If you see a scam, report it.  

If you see a scam, tell us about it.  

3 of 3 3/27/2020, 6:37 AM

1 of 6 3/27/2020, 8:01 AM

2 of 6 3/27/2020, 8:01 AM

3 of 6 3/27/2020, 8:01 AM

“

4 of 6 3/27/2020, 8:01 AM

5 of 6 3/27/2020, 8:01 AM

6 of 6 3/27/2020, 8:01 AM

1 of 7 3/27/2020, 8:02 AM

2 of 7 3/27/2020, 8:02 AM

“

3 of 7 3/27/2020, 8:02 AM

“

4 of 7 3/27/2020, 8:02 AM

’

5 of 7 3/27/2020, 8:02 AM

6 of 7 3/27/2020, 8:02 AM

7 of 7 3/27/2020, 8:02 AM

How to E-Notarize a Document in Compliance with Executive Order 202.7 Dated March 19, 2020

The following are the steps that must be taken to e-notarize a document in New York State for the period of March 19, 2020 through April 18, 2020.

• An audio-video conference must be set up enabling live interaction between the person signing the document and the notary.

• If the notary DOES NOT have personal knowledge of the individual, he or she must show the notary a valid ID DURING the video conference. A recorded video of the person displaying the document is NOT sufficient. It is not acceptable to show the notary the ID before or after the video conference.

• The person signing the document must affirm to the notary that he or she is physically present in New York State.

• The person then signs the document during the video conference, dates the document, and then on the SAME day either emails or faxes a LEGIBLE copy of the document to the notary.

• The notary then notarizes the emailed or faxed document and sends it back to the person via email or fax.

• If the person needs an executed original, the original document AND the e-notarized document must BOTH be sent to the notary within 30 days of the electronic execution. Then, the notary can notarize the original document and date it with the e-notarized date.

Daler Radjabov is the Legal Technology Operations Manager at the New York County Lawyers Association and has been with NYCLA since 2013. Daler is a graduate of Handong Global University in South Korea where he double majored in US & International Law and Global Management. He received his J.D. Equivalent degree from Handong International Law School in South Korea and LLM degree from Regent University in Virginia Beach, VA. Daler is a member of the New York Bar.