Advisory, Blog March 19, 2020

Attackers Taking Advantage of the Coronavirus/COVID-19 Outbreak


Following the latest developments of the emergence of the novel coronavirus disease 2019 (COVID-19) which has brought disruptive changes in our daily lives and chaos throughout the three-sector economic model – primary (raw materials), secondary (manufacturing), tertiary (services), unfortunately we are observing an increasing risk on cybersecurity threats related to COVID-19.

In particular, Obrela Security Industries (OSI) observed an extensive list of newly registered COVID-19-related domains and a surge of highly sophisticated, crafted COVID-19 themed phishing emails. Bad actors are using these techniques and are trying to lure victims into reacting on these phishing emails by promising that email attachments and links contain information about COVID-19.

Key Findings 

Malicious entities in their effort to increase their credibility, will often impersonate trusted and reputable organizations, such as the World Health Organization, in order to get users to open attachments or click on malicious links.

Existing phishing campaigns which are capitalizing on the coronavirus panic, can serve as template and adjusted accordingly in order to target specific groups (countries, industries, individuals).

The number of newly registered domains related to coronavirus has increased since the outbreak of the virus. This is a clear indication that cybercriminals are setting up their infrastructure to support malicious activities.

What to do to protect your business 

Below are some tips that can help you defend against the above real-world cyber-attacks and reduce the risk of infection via botnet spam:

  • All emails with Coronavirus-themes and attachments should be treated with caution, even if they don’t appear to be directly health-related. Cybercriminals are taking advantage of fears surrounding the Coronavirus
  • Be vigilant about phishing emails, raise the cyber security awareness of the employees and continuously measure the effectiveness of the output. Educate and inform the employees regarding the dangers associated with opening attachments on unusual emails. Consider implementing a training program to improve the employees’ awareness of cyber security and improve their ability to spot and report suspicious emails
  • Review, update and implement the organization-wide patch management life-cycle process. Determine the priority of the patches and schedule the patches for deployment. Ensure that patches are deployed in a timely manner
  • Have an incident response plan in place to mitigate the risks of being a victim of the latest cyber-attacks. An incident response plan helps ensure an orderly, fast and effective response to cybersecurity incidents. It is crucial for your team to quickly escalate, contain and recover from security incidents before further damage can take place
  • Segregate networks to isolate critical infrastructure and assets from potential threats and limit the malware’s ability to spread
  • Install security updates as soon as they become available in order to fix exploitable vulnerabilities in your products. Make sure that critical security point solutions, deployed throughout your environment like endpoint detection and response (EDR) and anti-virus solutions, are always up to date
  • Use two-factor authentication, wherever possible, to authenticate users so that if malware steals credentials, they can’t be reused
  • Practice the principle of least privilege for file, directory, and network share permissions. Do not provide users with any more privileges than are strictly necessary
  • Utilize deployed email content scanning solutions with email content filters and dynamic email analysis sandboxing capabilities in order to prevent malicious content from reaching users and reduce the likelihood of compromise
  • Review the use of macros within your environment. Disable macro scripts from Office files transmitted via email and where possible, it is recommended to block macros from the internet and only allow macros to execute from trusted locations and after approval has been given from personnel whose role is to vet and approve macros
  • Practice good cyber hygiene. It is a fundamental requirement of risk mitigation and helps your organization protect valuable and sensitive information
  • Implement application whitelisting using software restriction policies and controls. The goal is to better control the process of application deployment and ensure that only essential and approved applications are running on a machine
  • Employ best practices for securing Remote Desktop Connections. Properly securing your remote desktop connections is vital because of the capabilities and the extensive use of the remote desktop solution. Use strong passwords, don’t save login credentials in your RDP files, limit administrators who don’t need RDP, use lockout policies are some of the necessary steps you should take in order to improve the security of remote desktop connections
  • Continuously monitor your environment and act when necessary. Advanced Managed Detection and Response (MDR) service’s capabilities provide a holistic approach in dealing with a wide variety of cyber security threats. OSI MDR services can proactively and effectively help your organization throughout the entire life cycle of the incident management process, in order to resolve the incident as quickly as possible and with the least impact on businesses processes.

Active campaigns: 

OSI detected that an increasing number of actors and malware are employing the above-mentioned techniques. An indicative list of active campaigns can be found below:

Trickbot campaign  

Targets coronavirus outbreak and fears in Italy. Specially crafted spam email, written in Italian, and targeting Italian e-mail addresses. The e-mail contains a Word document purported to be a list of precautions measures. But the reality is that the enclosed file is a weaponized Microsoft Word document which contains a Visual Basic for Applications (VBA) script that carries a dropper used to deliver a new Trickbot variant.

Latest Indicators of Compromise (IOCs) 

  • Network indicators (URL/IP)



  • File hashes




Emotet campaign 

Emotet is an advanced, self-propagating Trojan. It was originally targeting organizations and companies in the banking and finance sector. Nowadays, the Emotet malicious malware is spreading via coronavirus-themed spam emails. There were identified cases of spam campaigns targeting users in Japan that employ the coronavirus scare as a lure to trigger people to open malicious emails. The text content of the phishing email is written in Japanese and the e-mail contains Microsoft Office files which are weaponized with macros that, when run, would deliver a variant of the Emotet Trojan.

Latest Indicators of Compromise (IOCs) 

  • Emotet is so destructive and pervasive that there is a Twitter  feed  (here) updating the security community on the latest Emotet IoCs on a daily basis

AZORult trojan 

It is a coronavirus-themed email attack which is targeting the shipping industry by leveraging the concerns and fears over COVID-19 and its impact on global shipping industry. AZORult is an information-stealing trojan which exfiltrates sensitive data from a compromised system and can steal browsing history, cookies, ID/passwords, cryptocurrency and more. In addition, there is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections. The malicious e-mail contains a weaponized Microsoft Word document which exploits the CVE-2017-11882 vulnerability. Once the attachment is opened the AZORult trojan is installed on the compromised system. According to our research, the malicious emails are originating from groups in Russia and Eastern Europe.

Latest Indicators of Compromise (IOCs) 

  • Network indicators (URL/IP)





  • File hashes

7e71eda28ecca392d6e86a9004c3bd38c7cbdf79399e90742feac5fa066aba66 a6abe3b046e8bdcfb33fa9776195fbb89a3e4218f6bb281aedd15f28fe1f4818 bad303ab4b68379128469e3be92d5bf3b23ec7bb285a260b1fadeead3fe43bbf bc55f494359805cc4d89f6812c3a1a14d593d9ead82267dcae7029dcbddebcab be2201940b246ae89cae4f6d0a691a1092289868230f1da85f9142d180709744

681297a82e85822a1cb5a58296a515151f417bb8aafe5d4505d2219b4fe61438 70576eb8cd35093b1ef56da7fb39bf88f32c57f410484d613b5028cecbb1b0df

f34e64f4e7be7e6b2c665700ec513b4783e570a4de2087ac9511f152d812b2f5 f4b4158338fe30016fb7034b70bc3babcee3be21ea5c214451d83e3cb31233d8

In addition to the above technique to spread the AZORult trojan, security researchers have identified and reported that malicious actors have developed an alternative technique in order to successfully spread and deliver the AZORult trojan – a weaponized coronavirus map similar to the original Johns Hopkins University coronavirus map.

Latest Indicators of Compromise (IOCs) 

  • Network indicators (URL/IP)










  • File hashes







Lokibot trojan 

Coronavirus-themed malicious spam campaign, targeting users in China. The malicious spam campaign claimed to be from the Ministry of Health of the People’s Republic of China. The phishing e-mail contains a malicious .arj file (Windows RAR archive file), purported to be a list of precautions measures. Once the victim opens the attachment, it results in a Lokibot trojan infection. Lokibot has keylogging capabilities for stealing sensitive personal information.

Latest Indicators of Compromise (IOCs) 

  • Lokibot is most commonly seen to send a POST request to <DOMAIN>/subdir/subdir1/../fre[.]php, although other less-common patterns have also been observed in the wild (e.g. <DOMAIN>/subdir/subdir1/cat[.]php)
  • Network indicators (URL/IP)






  • File hashes




Agent Tesla 

It is an advanced RAT malware that has keylogging capabilities for stealing email credentials and passwords from browsers. The threat actors have impersonated the World Health Organization (WHO) and have sent out malicious email messages using the subject line “Attention: List Of Companies Affected With Coronavirus March 02, 2020.” that contained a malicious attachment that dropped the Agent Tesla Keylogger. The phishing e-mail contains a malicious attachment which is labeled as “SAFETY PRECAUTIONS” and has a .exe extension. The icon of the executable is a Microsoft Office Excel file, and intends to trick the end user into believing that the attachment is indeed an Excel document.

Latest Indicators of Compromise (IOCs) 

  • Network indicators (URL/IP)













  • File hashes



  • YARA Rules


Contact us here