Due to the wide interest in COVID-19, both criminal and espionage threat actors have been distributing malicious documents themed around the pandemic. FireEye expects to see continued use of coronavirus themed lures by both opportunistic and targeted financially motivated attackers due to the global relevance of the theme.

Jens Monrad, FireEye’s Head of Mandiant Threat Intelligence, EMEA observes that since January, FireEye has noticed both cybercriminals and state-sponsored espionage campaigns using COVID-19 or coronavirus themed lures in phishing emails. These are typically in the form of email attachments and links that look like they are genuine, but are in fact malicious. This activity has increased since January as more nations are dealing with infections. Some of the malware campaigns FireEye has observed are responsible for a large volume of spam and phishing emails as well as being used to deliver ransomware like Emotet, Trickbot, Nanocore, AZORult, FormBook, Remcos RAT and AgentTesla.

The lures vary from claiming to be from widely known healthcare sources like the World Health Organization to being very specific and relevant to a small audience. FireEye has also observed cybercriminal activity on forums where sellers have put out advertisements for selling items/kits designed to exploit the current situation. This could either be malicious virus tracking maps or other malicious code used in COVID-19 campaigns.

Coronavirus-themed spear-phishing emails have been increasingly used to deliver malware to a range of industries and regions. By taking advantage of current events, threat actors are better able to increase their chances of gaining access to targets of interest. We anticipate that malicious actors will continue to exploit populations’ senses of urgency, fear, goodwill, and mistrust to enhance their operations, particularly regarding events within the medical field, government announcements, economic implications, deaths of high-profile individuals, and civil disturbances.

Says Monrad, “We encourage users to remain vigilant about socially engineered campaigns and disinformation related to the coronavirus. People should use government trusted sources for any information related to the current situation and, in the cases where they receive coronavirus related emails and were not expecting them, they should carefully examine why they are receiving them and consider not engaging with the emails.”