Several New Coronavirus-Themed Phishing Scams and Malspam Campaigns Detected

Further email campaigns have been detected that are using the novel coronavirus (COVID-19) outbreak as a lure to spread malware, phish for sensitive data, and fool people into making donations to fake charities.

The World Health Organization has previously issued a warning that cybercriminals were using its logos in malicious email campaigns and those campaigns have continued. Campaigns have also been detected impersonating the Centers for Disease Control and Prevention (CDC), and the Center for Public Health, a division of the Ministry of Health of Ukraine.

One of the latest WHO phishing campaigns claims to provide updates on the Coronavirus outbreak and offers recipients important information to help them protect their health and protect the health of others. The email offers an e-book named My-Health.PDF that is essential reading. The supposed PDF file is contained in a zip file attachment, although it is actually an executable file – My-Health.exe. If Windows is configured not to display known file extensions, a user may be fooled into thinking this is an e-book.

Executing the file, which is a malware downloader called GULoader, will result in the download of the FormBook information stealing Trojan. The Trojan is capable of logging keystrokes, stealing data from the clipboard, taking screenshots, and stealing data such as banking credentials, as it is entered on the internet. This campaign was discovered by MalwareHunterTeam.

A separate campaign was detected by ZLab-Yoroi Cybaze researchers which also claims to provide information to help people protect against Coronavirus. The CoronaVirusSafetyMeasures_pdf file is believed to be sent in phishing emails. It also appears to be a PDF file but is actually an executable file that downloads a persistent information stealer.

Cofense also reports a phishing campaign has been detected that impersonates the CDC and warns that the Coronavirus has now become airborne and that cases have been detected at the user’s location. The email contains a link that appears to be an official CDC link, but is actually a link to a malicious website that harvests Outlook credentials. The user’s email address is already added to the form, so they just need to enter their password. Cofense also identified a campaign that impersonates WHO that is being used to deliver the Agent Tesla keylogger. The emails also claim to provide Coronavirus safety information.

Mimecast, KnowBe4, and Microsoft X-Force have also identified Coronavirus-themed phishing campaigns targeting individuals in the United States and United Kingdom, and Checkpoint has reported that it has detected campaigns spreading the Emotet Trojan.

Checkpoint also notes there have been more than 4,000 coronavirus-related domains registered, of which 3% have been confirmed as malicious and 5% were found to be suspicious. Checkpoint warns that coronavirus themes URLs are 50% more likely to be malicious than other domains registered in the same period.

The volume of coronavirus-themed phishing emails being detected has prompted the U.S. Federal Trade Commission (FTC) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to issue warnings and provide advice on how to recognize potential scams.

The advice is the same for avoiding all phishing scams and malicious emails:

  • Do not click links in unsolicited emails
  • Exercise caution with email attachments
  • Only trust coronavirus information from official sources, such as an official government website
  • Never to reveal personal information in emails or respond to email requests soliciting sensitive information
  • Verify the authenticity of any charity before making a donation.

Author: NetSec Editor