COVID-19 has captured the world’s attention on an unprecedented scale, and there’s hardly an industry or sector that hasn’t been affected in some way by the rapid global spread of the pandemic.

Proofpoint, specialises in email fraud security, last week released a report outlining the extent to which the coronavirus can drastically change an industry: 80% of the overall threat landscape is using the virus as a theme in their attacks.

This includes attacks that don’t outright mention coronavirus in the subject or body of a message but instead reference it within attachments, links or lures.

Since January 29, when the cybersecurity company first started tracking malicious activity associated with COVID-19, Proofpoint has recorded 500,000 messages, 300,000 malicious URLs, and 200,000 malicious attachments with coronavirus themes across more than 140 campaigns.

Instances of the attacks are rising as the crisis worsens – as fear and panic grow within the general public, attackers become emboldened and take advantage of a once-in-a-century crisis to wreak havoc on security systems.

Nearly every type of established cyber attack has been used with coronavirus themes, including business email compromise (BEC), credential phishing, malware, and spam email campaigns.

The most popular and effective attack is credential phishing. The threat actors behind these attacks run from small unknown actors to prominent threat actors like TA542 (the group behind Emotet).

Here are some examples of each attack using COVID-19 as leverage to breach security:



Credential phishing - ‘COVID-19 Infected Our Staff’

A relatively small campaign in the US, one credential phishing attack uses a company-wide email to target retail companies and uses concerns about infected staff members to try and lure victims to click, leading to Microsoft Office credential phishing.

The lure – ‘COVID-19 Infected Our Staff’ as the subject line – hooks the reader and leads to the body, which claims ‘a staff member of our company has contracted this deadly disease (COVID-19)’.

The email then encourages the recipient to open/download a malicious attachment titled ‘follow the company’s new protocol.’ The malicious attachment links to a webpage that spoofs the Microsoft Office login and asks the user for their credentials.



Malware – ‘Your Neighbors Tested Positive’

Another smaller campaign in the US, this one targets energy, construction and telcos with an email using the subject line ‘coronavirus update disease (COVID-19) your neighbors tested positive’.

Using the heightened paranoia that comes with such a highly infectious disease, the campaign encourages readers to open a malicious attachment named ‘receipt.xlsm’ which uses macros to download the Remcos remote control tool.



Malware - GuLoader/Agent Tesla with WHO “Solution” for COVID-19

This malware campaign targets manufacturing, construction, transport, healthcare, automotive, energy and aerospace using the GuLoader and Agent Tesla tools.

The email spoofs the real address of the head of the World Health Organisation (WHO), claims there is a ‘solution’ for ‘total control’ and asks the recipient to ‘share with all contacts.’

As is common with many email cyber attacks impersonating a reputable source or organisation, grammatical mistakes are the most glaring clues hinting at malicious intent.

The subject – ‘Breaking!!! COVID-19 Solution Announced by WHO At Last As a total control method is discovered’ – features an overuse of exclamation marks and an abrupt shift from capitalising every word to not. Official emails from a United Nations agency would not look like this.

The malware contained in the attachment contains GuLoader compressed in .iso format.

If the recipient opens and runs the attachment, GuLoader installs Agent Tesla, a Trojan written in Visual Basic that can steal usernames, passwords, and credit card information from the user’s system.