Current COVID-19 Trend: Malspam Campaigns

COVID-19 and Malspam Campaigns

The entire world is on edge, watching as COVID-19 continues to spread at an exponential rate. The uncertainty and unknowns around the illness have all of us thirsty for news and information about the virus: we all want to know what’s going on and how we can best protect our families. Hackers are taking full advantage of this, and are sending out emails enticing recipients to click links with promises of information about the virus or advice on how to prevent it—and in reality are infecting the computers of anyone who clicks with malware.

Malspam Campaigns:

Malicious Spam (Malspam) campaigns are usually some of the first arrivals in mailboxes in times like these. Attackers create sophisticated emails using COVID-19 headlines and graphics to lure users into opening malicious documents (malodocs) or clicking on malicious links leading to the download of malware. In many cases, senders masquerade as a public health authority, a government agency, or an industry or third-party partner to convince recipients to click on a link or open a file.

According to Accenture’s recent iDefense SITREP on COVID-19-based attacks, some of the more recent campaigns tracked by security researchers include:

  • EMOTET: attached Word doc that activates VBA macro that triggers the download of Emotet
  • AZORULT information-stealer malware: COVID-19-themed malspam targeting manufacturing, industrial, financial, transportation, pharmaceutical and cosmetics companies. Malicious Word doc attempting to exploit MS Office vulnerabilities
  • LOKIBOT: malicious attachment
  • GRANDOREIRO: banking Trojan: malicious links in emails leading to download of Grandoreiro banking Trojan
  • Agent Tesla keylogger: The email purports to come from the World Health Organization (WHO) and contains a malicious executable showing an Excel file icon
  • FormBook: Another campaign impersonating the WHO and comes with a ZIP archive that contains an executable capable of launching the GuLoader downloader. The ultimate purpose is the installation of the FormBook infostealer
  • HawkEye Infostealer; phishing campaign impersonating the Director-General of the WHO is actively spreading HawkEye malware payloads

RH-ISAC Recommends

As always, the best defense against malspam is avoiding it altogether. Train your employees on best practices: inspect any incoming email messages, don’t click on links from any remotely suspicious sources, and when in doubt, report suspicious messages to the IT or security department. Particularly in these trying times, stress to your employees to think twice before clicking on an email about COVID-19, even if it appears to come from a legitimate source. Setting up a strong endpoint protection solution and email spam filtering will certainly help, but an aware, educated workforce on the front lines is the best defense.

As with all threat activity and risk management, walking together as one is better than walking alone.

Engage! Leverage your RH-ISAC membership to engage with your peers in the listservs, on Slack, in the Weekly Intelligence Calls, and in any working groups you may be a part of where we maintain a proud tradition of trusted and active peer-to-peer information sharing.

Reach out! Not an RH-ISAC member? Reach out to us or visit for information on how to join, or reach out to similar security organizations of relevance to you to ask for information, solicit peer collaboration and to engaged in the strength of collective activity…don’t walk alone! 

More Recent Blog Posts