Over the past three months the world’s attention has been captured by the COVID-19 health crisis. As it is usually the case around major global events, the criminal underground has responded accordingly.

There is so much cyber activity out there that one might get the impression that threat actors have increased their malicious attacks or deployed more resources to do so. According to Microsoft, malicious parties have just repurposed their offensive infrastructures and rethemed their attack campaigns.


It is worth noting that one malware strain has shown up more frequently than others in unique COVID-19 related phishing emails per Microsoft Advanced Threat Protection data.

The Trickbot trojan has been used initially for harvesting and exfiltration of sensitive banking data. It has evolved ever since into a malware dropper that would help deliver other and more dangerous malware payloads.


This week’s edition will cover the shift in threat actor priorities which follows the evolution of the global response to the pandemic. The shift is seen in three areas:

  • Phishing campaigns
  • Malicious mobile apps
  • Attacks against home environments and critical infrastructure

Phishing campaigns

In addition to phishing campaigns around safety measures, face masks, sanitizers, respirators, and testing kits,  security researchers have now detected a major increase in the registration of malicious and suspicious domains related to financial relief packages.

Malicious mobile apps

Malicious mobile apps purporting to give real-time statistics about infection rates have now been joined by ones mimicking legitimate self-reporting or tracking apps. 

Attacks against home environments and critical infrastructure

The COVID-19 health crisis has forced many organizations and educational institutions to adopt conferencing and other apps to support work-from-home and study-from-home arrangements. Cybercriminals are taking advantage of this transition to spread malware.

Malicious activity linked to popular conferencing apps

  • A boom in the registration of Zoom-related domains has been observed.
  • Credential harvesting phishing campaigns have been launched, impersonating Zoom and Cisco WebEx. One of the campaigns is tricking users to access a missed conference meeting, while the other is urging targets to update their desktop app.
  • A coinminer bundled with the legitimate installer of the video conferencing app Zoom has been detected.
  • And lastly, 500K+ Zoom accounts have been found on hacker / dark web forums.

Malicious activity linked to VPN software

  • Two fake VPN domains have been flagged (vpn4test.net and nordfreevpn.com). The first – spreading the AZORult info stealer, while the second – infecting victims with the Grand Stealer malware.

Malicious activity linked to network devices

  • Linksys has mass reset the passwords for all Smart Wi-Fi user accounts following a report that its devices had been attacked with pwned credentials.

Malicious activity linked to educational games

  • A phishing campaign has been spotted claiming to provide information on new COVID-19 confirmed cases in your city leveraging the splashmath.com domain. The domain which offers fun math exercises to millions of kids has likely been compromised. 

While attacks against home environments are still a hot topic, there is an uptick in ransomware, extortion and cyber espionage attempts against critical infrastructure, healthcare, and medical research facilities.

Malicious activity linked to Energy sector

  • Researchers at Cisco Talos Intelligence have discovered multiple phishing campaigns, incl. two Covid-19 ones which they believe are targeting Azerbaijan public and private sectors, especially the energy one. Malicious Word documents are used as droppers of a new Python-based Remote Access Trojan dubbed PoetRAT. Besides giving operators full control of the compromised systems, security researchers have observed the deployment of additional capabilities such as keylogging, browser password stealing, webcam control and data exfiltration via FTP.
  • Attackers have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) using the Ragnar Locker ransomware and are now asking for a hefty ransom – 1580 Bitcoins which is circa €9.9M ($10.9M). The ransomware attack is coupled with extortion. Sensitive data has been supposedly exfiltrated prior to the encryption and would be leaked if demands have not been met.

In conclusion, we would like to advise individuals and organizations to remain vigilant first and foremost despite heightened urgency levels or noble desires to help fight the pandemic. The need for speed should not be at the expense of acceptable secure practices or privacy considerations as it was the case with a recent mobile app (Covid19 Alert) proposed to the government of the Netherlands.

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.