ATTENTION: The Department of Health and Human Services and the Health Sector Cybersecurity Coordination Center Bulletin “Fake Online Coronavirus Map Delivers Well-known Malware” is attached to this email as a .pdf document.

(U//FOUO) ANALYST COMMENT: A malicious website claiming to be the live map for coronavirus/COVID-19 produced by Johns Hopkins University is circulating around the Internet.  The website infects the user with the AZORult Trojan, an information-stealing program which can exfiltrate a variety of sensitive data.  It is likely to be spread via infected email attachments, malicious online advertisements, and social engineering.  Anyone searching for a map of the coronavirus could unwittingly navigate to this malicious website. The correct address is https://coronavirus.jhu.edu/map.html.

(U//FOUO) UPDATE: The site’s current IP address is 50.63.202.36.  However, the bad actors who operate the site have moved the site’s DNS and IP at least once.  As the IP addresses could continue to change and morph over time, best practices overall for protecting against such threats would include taking a layered approach via defense in depth.  Recommendations include:

• Implement a Malicious Internet Hosts Policy and category blocks for non-business related browsing activity via Internet proxy service.
• Establish next-generation firewalls with policies to only allow inbound and outbound traffic to known good business-related IPs.
• Collect, monitor, and review logs and set up thresholds with alerting on suspicious behavior.
• Ensure all endpoint and malware detection and prevention solutions are kept up to date.
• Maintain the principle of least privilege on all end-user machines and workstations.

This product is marked TLP: WHITE. Recipients may share TLP: WHITE information with peers and partner organizations within their sector or community.