COVID-19 , Cybercrime , Cyberwarfare / Nation-State Attacks

Nation-State Hackers Using COVID-19 Fears to Spread Malware

Researchers Find Healthcare Crisis Used As a Lure for Phishing Emails
Nation-State Hackers Using COVID-19 Fears to Spread Malware

Nation-state hackers as well as cybercriminals, are now attempting to use phishing emails with themes tied to the global COVID-19 crisis to spread malware, according to recent security reports.

See Also: Check Kiting In The Digital Age

Now that the World Health Organization has declared COVID-19 a pandemic, and U.S. President Donald Trump has declared a state of emergency, hackers with apparent links to the governments of China, Iran and other nations are using the crisis to create phishing emails designed to lure victims, according to Recorded Future.

These emails contain malicious attachments that are then used to spread malware strains, including TrickBot, Lokibot and AgentTesla, which all capable of stealing data from infected systems, according to the Recorded Future report.

And as the COVID-19 crisis spreads, so will the efforts by these threat groups to take advantage of the situation for their own means, the report states. "We assess that as the number of COVID-19 cases, as well as publicity around the virus, rises globally, both cybercriminals and nation-state actors will increasingly exploit the crisis as a cyberattack vector."

As of midday Monday, COVID-19 had led to deaths of over 6,700 people and infected more than 174,000 worldwide, according to data collected by a research team at Johns Hopkins.

Malicious Campaigns

While various cybercriminals started taking advantage of the COVID-19 crisis starting as early as January with phishing emails designed to steal credential and passwords of unsuspecting victims, nation-state hackers are now moving to use the crisis to their advantage, according Recorded Future report (see: Coronavirus Fears Lead to New Wave of Phishing, Malware)

In one case, the Recorded Future analysts found that a group that they refer to as Mustang Panda transmitted phishing emails to unnamed targets that contain a compressed Windows .rar file that supposedly offer statements on the pandemic made by Nguyen Xuan Phuc, the prime minister of Vietnam. That file, if opened, contains another Windows shortener that displays a Word document. While the victim is looking at the document, macros operating in the background download a malicious executable that communicates with a command-and-control server, according to the report.

In a 2018 report by security firm CrowdStrike, Mustang Panda is described as an advanced persistent threat group with ties to China that has been known to target think tanks and other nongovernment groups in the U.S.

The Recorded Future analysts also found that an unnamed group apparently linked to Iran is attempting to get Iranian citizens to download an Android app portrayed as tracking the COVID-19 outbreak in that country.

If downloaded, the Android app acts as spyware and can track victims' locations and movements, according to the report.


Meanwhile, on Monday, Malwarebytes published a report on recent coronavirus-related activities by an advanced persistent threat group called APT36, which is believed to operate out of Pakistan and target organizations in India.

"During their past campaigns, they [APT36] were able to compromise Indian military and government to steal sensitive data including army strategy and training documents, tactical documents and other official letters," according to the report.

The Malwarebytes researchers found that APT36 is now using both spear-phishing and watering-hole attacks to target organizations in India. The emails used in these attacks deploy a malicious attached document disguised as an Excel spreadsheet that supposedly contains a coronavirus, according to the report.

Phishing email attachment disguised as coronavirus update (Source: Malwarebytes)

If the recipient opens the Excel document, malicious macros attempt to download a remote access Trojan called Crimson, according to the Malwarebytes report. This Trojan can steal credentials; capture screen shots of the infected device; communicate with a command-and-control server using a custom TCP protocol; run a list of processes, drives and directories on the infected device; and collect data on anti-virus software, according to the report.

Other Attacks

Meanwhile, cybercriminals are also refining their efforts to take advantage of the global health crisis.

For example, security firm Digital Shadows says a Russian-language forum for cybercriminals called XSS advertised COVID-19 themed phishing email kits that are disguised with real-time information from the World Health Organization and the Johns Hopkins Center for Systems Science and Engineering, which are both helping to track the spread of the virus.

Phishing kit sold in the Russian underground (Source: Digital Shadows)

The kit retails for from $200 to $700, says Alex Guirakhoo, strategy and research analyst at Digital Shadows.

"Even sophisticated threat actors rely on phishing as an initial attack vector," Guirakhoo tells Information Security Media Group. "For example, malicious documents purporting to contain important information on the spread of the virus can be used to install remote-access Trojans or information-stealing malware on victim devices. This activity is likely to increase as the pandemic develops."

Managing Editor Scott Ferguson contributed to this report.

About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.