Threat Advisory: Mitigating Cyber Attacks Using Coronavirus Pandemic

March 12, 2020


Recently, there has been a significant increase in cyber attacks that take advantage of the global COVID-19 (Coronavirus) pandemic.

Threat actors are leveraging additional information on COVID-19 to spread malware infections through phishing emails. These emails, particularly the subject lines, are designed to contain valuable information about the current status of the outbreak to lure victims into opening attachments or clicking malicious links. Sample email subject lines include: 

  • “COVID-19 – Now Airborne, Increased Community Transmission”
  • “Attention: List Of Companies Affected With Coronavirus March 02, 2020”

Once the user downloads the attachment or clicks the malicious link, a code that deploys one of many malware families to the victim’s host network starts running in the background. Security researchers have observed that many cyber attacks rely on leveraging trusted branding to increase the success of the cyber attack. 

In addition, the spread of Coronavirus is forcing many organizations to set up a remote workforce for their employees. This increases the attack surface and potentially exposes employees to known cyberattacks that may have been blocked by security controls set in place within the corporate network.

Therefore, it's important to be adequately prepared with documented processes for secure remote access as more employees connect from their home and/or public networks. This preparedness should already be in place and play an active role in the organization's Business Continuity Plan. Business leaders should review it regularly to ensure it is up-to-date.

Technical Details 

Threat actors have weaponized phishing attacks with malware including Trickbot, Lokibot, Agent Tesla, Emotet, TrickyMouse, Remcost RAT, AZORult, and Kpot to name a few.

Some highlighted malware infections observed by security researchers are:

  • One of the most recent campaigns included Kpot, which is a password-stealing Trojan with an emphasis on exfiltrating account information and data from web browsers, IMs (instant messengers), email, VPN, RDP, FTP, cryptocurrency and gaming software.
  • Proofpoint discovered a campaign in early February where threat actors were citing shipping concerns to target multiple industries, including manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic companies. Emails in this campaign contained a Microsoft Word document attachment that exploits a vulnerability (CVE-2017-11882) to install the information-stealing malware AZORult.
  • A campaign spoofing the World Health Organization (WHO) as the sender has been noted to deliver the Agent Tesla keylogger via a .exe attachment using a Microsoft Excel icon. The email claims that the attachment contains safety precautions regarding Coronavirus.
  • Another phishing campaign masquerading as the WHO and the Ministry of Health of Ukraine has been targeting Russia, Ukraine, and several other European countries using a Coronavirus-themed email involving a Microsoft Word document attachment with an embedded macro. This time, the payload is named TrickyMouse, and possibly related to the Hades organization. The functions of this attack involve information gathering (user name, hostname, etc.) and a keylogger to steal credentials and screen capture.
  • Using the pretext of Emergency Regulations regarding the Coronavirus, the group behind Lokibot is spoofing emails from the Ministry of Health in the People’s Republic of China to send emails containing an archived Windows batch file. The email advises the user to take the necessary precautions and uses the rising death toll in an attempt to scare the reader into opening and running the attached file.
  • Another Coronavirus-themed campaign uses Emotet as the payload and the contents of the emails urging the victims to open a Microsoft Word document with a macro attachment and view a notice regarding prevention measures. The extracted macros are using the same obfuscation technique as other Emotet emails observed in the past few weeks.
  • A phishing campaign that primarily targets Italian email addresses has been found to contain a Microsoft Word document with embedded macros that spreads the Trickbot banking trojan, which is known to steal victims' confidential information and download additional malware.
  • Lastly, another campaign observed by researchers relies on a phishing email with a PDF offering safety measures against Coronavirus. Downloading the PDF attachment also downloads executables for a Remcos RAT dropper that runs together with a VBS file executing the malware. The backdoor has capabilities such as clipboard stealing, keylogging, and the ability to lift screenshots from a victim’s computer.
Mitigation Recommendations

Herjavec Group emphasizes the importance of having business continuity planning and emergency preparedness processes in place to help reduce the impact of COVID-19. This is especially the case for organizations in the critical infrastructure sector and the supply chain industry.

In addition, organizations must ensure that they are prepared for the possibility to enable a company-wide remote workforce by assessing the cyber hygiene practices followed by their employees. 

Herjavec Group also aligns with following recommendations made by CISA as best practices to strengthen the security posture of your organization's corporate networks:

Infrastructure Protection
  • Designate a Response Coordinator and assign team members with specific responsibilities
  • Implement a formal worker-and-workplace protection strategy and ensure that employees receive training on the protection strategies
  • Establish and test flexible workforce options (e.g. remote work) and work hour policies
  • Identify essential functions, goods, and services your organization requires to sustain successful operations and determine how long your organization can expect to continue providing these essential functions in potentially reduced quantities.
  • Identify and prioritize suppliers of critical products and services for your organization
  • Continuously assess ongoing preparedness activities to adjust objectives, effects, and actions based on changes in the business and greater economic & social environment.
  • Monitor federal, state, local, tribal, and territorial information regarding COVID-19 sites for up-to-date information on containment and mitigation strategies.
Safety Measures for Supply Chains
  • Assess your organization’s supply chain for potential impacts from the disruption of transport logistics and international manufacturing slowdowns resulting from COVID-19
  • Discuss with the respective suppliers about any challenges they may be facing or expect to face due to the ongoing pandemic
  • Identify potential alternate sources of supply, substitute products, and/or conservation measures to mitigate disruptions to your business operations
  • Maintain a steady line of communication with key customers to keep them informed of any issues you have identified and the steps you are taking to mitigate them
Cyber Hygiene Practices for Organizations
  • Take any necessary steps to secure systems that enable remote access, such as:
    • Ensuring Virtual Private Network (VPNs) and other remote access systems are fully patched
    • Enhancing system monitoring to receive early detection and alerts on abnormal activity
    • Implementing multi-factor authentication (MFA)
    • Ensuring all machines have properly configured firewalls, as well as anti-malware and intrusion prevention software installed.
  • Test the current capacity of secure remote access solutions and increase the capacity if necessary
  • Ensure that business continuity plans are up-to-date
  • Increase the awareness of IT support mechanisms for employees who work remotely and clearly outline the steps to take in the event of a security incident
  • Update Incident Response plans to consider workforce changes in a distributed environment
Cyber Hygiene Measures for the Workforce and Consumers
  • Avoid clicking on links in unsolicited emails and be wary of email attachments
  • Do not reveal personal or financial information in emails, and do not respond to email solicitations for this information
  • Review Tips on Avoiding Social Engineering and Phishing Scams for more information on recognizing and protecting against phishing
  • Review the Federal Trade Commission’s blog post on coronavirus scams for information on avoiding COVID-19 related scams
  • Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19

We recognize the imminent threat posed by Coronavirus to not only the health of the general public but on business operations as well. Therefore, it is critical that business leaders take any necessary steps to ensure that business operations continue as close to the norm as possible.

For more information on how Herjavec Group can help your organization with an emergency preparedness plan, or secure remote access solutions, please connect with us.

Herjavec Group’s Managed Services team will be proactively blocking applicable names/IP addresses where applicable, following documented change processes as per usual.

Download the summary of IOCs relating to known malware families as well as domains specific to COVID-19 below (originally circulated by Recorded Future).

About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn