The global advance of the COVID-19 pandemic has provided an immense opportunity for various threat actors to capitalize on. The security community has quickly responded to understand this new wave of cybercrime and its evolving tactics, techniques and procedures (TTPs).

Since the beginning of the year, security researchers across leading organizations have identified multiple phishing campaigns, relying on the scare of people from the biological infection to spread virtual ones with varying malicious capabilities.

Some of the campaigns have been targeting individuals across countries with significant number of COVID-19 infections and a high death toll such as China and Italy. Others have turned their attention to countries such as Japan, Ukraine, Brazil, Mexico, Mongolia and Vietnam where the infection at this stage is not as prevalent. Still others, have focused on select industries such as manufacturing, pharmaceuticals or shipping.

The current coronavirus-themed social engineering efforts could be grouped into several categories, based on the parties they are impersonating. 

  • Trusted country-specific or global authorities
  • Healthcare personnel
  • HR or IT staff

The messages claim to provide status reports, real-time statistics, information about safety measures, cures or relevant other information. A sample of the phishing emails is provided below. It appears the threat actors had been keen on deploying their campaigns with speed rather than precision as grammar, punctuation and spelling mistakes are abundant, which are all red flags for malintent.

■ Emails impersonating trusted authorities

Ministry of Health, People’s Republic of China
Subject:  Emergency Regulation Ordinance Against Coronavirus

Please you are advised to take necessary precautions to stay safe as death toll keeps increasing. As we work hard to kicking away the virus check attached Emergency Regulation Ordinance against coronavirus for the safety of your industry!!

From: WHO Headquarters
Subject:  Attention: List of Companies Affected with Coronavirus

I am writing to give you updated information on the novel Coronavirus. And the list of the affected companies listed by W.H.O. A new virus that causes respiratory illness. Find attached to see the latest precautions.

From: National Center for Health Marketing, CDC
Subject:  COVID-19 – Now Airborne, Increased Community Transmission

As you know, the Department of Health and Human Service has declared the Coronavirus (COVID-19) a public health emergency. At this time, three new cases have been confirmed around your location today. Centers for Disease Control and Prevention has established precautions. The CDC requires you to avoid (HIGH-RISK) zone around your city. A high-risk person is currently being monitored around your city. For additional information about high-risk places: https://www.cdc.gov/COVID-19/newcases/feb26/your-city.html 

■ Emails impersonating healthcare personnel

 Dr. Penelope Marchetti, Organizzazione Mondiale della Sanita - Italia
Subject: Coronavirus: informazioni importanti su precauzioni

[Translation from Italian] Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!

From: Dr [name], Specialist Wuhan-Virus-Advisory
Subject: Singapore Specialist: Corona Virus Safety Measures

Go through the attached document on safety measures regarding the spreading of corona virus. The little measure can save you. Use the link below to download Safety Measures.pdf

Symptoms Common symptoms include fever, cough, shortness of breath, and breathing difficulties.

From: John DeFranco
Subject: COVID-19 Everything you need to know

How to Protect your friends from nCOv 2019 FAQ. There are more than 75,000 infected COVID-19 cases all around the world! 
COVID-19-FAQ - uploaded with iCloud Drive.

■ Emails impersonating HR or IT staff

All, Due to the coronavirus outbreak, [company] is actively taking safety precautions by instituting a Communicable Disease Management Policy. This policy is part of our organizational preparedness and we require all employees to read and acknowledge the policy before [date]. If you have any questions or concerns regarding the policy, please contact [company] Human Resources.

Unsuspecting users are also being tricked to access fake COVID-19 real-time maps, impersonating the resource center of the John Hopkins University in the United States.

The global cyber threat intelligence community has already identified some of the tactics, techniques and procedures adopted by different malicious campaigns. AMATAS has put together IOCs (Indicators of Compromise) based on this analysis and is ready to share upon request. The sample IOC below is developed using FireEye Mandiant’s free IOC Editor (version 3.2, OpenIOC_1.1 specification) and is based on the research of IBM X-Force Threat Intelligence. 

It is highly recommended to block suspicious/malicious URLs, domains and IPs at the perimeter-based devices.

Although the social engineering campaigns appear to be the primary attack vector at this stage, the mass move of people to work, study and collaborate from home will undoubtedly present additional opportunities for exploitation. Missing, unpatched or misconfigured VPN or endpoint protection and usage of personal devices for remote work are just a few. 

AMATAS continues to monitor this space and will deliver salient information weekly

Konstantina Kostadinova in AMATAS