Coronavirus or COVID-19 continues to dominate headlines and the cybersecurity landscape. Unfortunately, the global pandemic has sadly infected over 3 million people and at the same time, it has created a perfect opportunity for malware actors to distribute info-stealing malware.
What is happening?
The surge in COVID-19 themed attacks has paved the way for infostealer malware like LokiBot, Agent Tesla, TrickBot and Hawkeye. As the name suggests, infostealers are designed to collect a wide range of information such as usernames, passwords, and bank details. However, some of them were evolved into sophisticated versions to pilfer system information, WiFi passwords, or the content of cryptocurrency wallets.
Common propagation trick
- Like many attacks, these infostealers were typically distributed via spam email campaigns. The actors behind the attacks used a variety of fake COVID-19-themes to lure users.
- Some of the email subjects used in the Lokibot campaigns included ‘AWARENESS NOTICE ON CORONAVIRUS(COVID-19)’, ‘COVID-19: Copy of Transfer Receipt From Our Bank’ and ‘UPDATE : BUSINESS CONTINUITY PLAN ANNOUNCEMENT 2020 DUE TO CORONAVIRUS’.
- Researchers found COVID-19 related spam campaigns that distributed a new version of Agent Tesla. The phishing emails appeared to come from the World Health Organization (WHO).
- TrickBot claimed several user credentials in different COVID-19 themed phishing emails. One such campaign involved emails about free COVID-19 test.
What to infer?
Threat actors are indeed active during the global pandemic. Leveraging phishing emails with different themes around Coronavirus to deliver infostealer will continue to be a common modus operandi of attackers.
As most of the infostealer malware attacks are focused on the classic combination of email and social engineering tricks, it is highly recommended that users should make due diligence in spotting phishing attacks.
During the time of COVID-19, when the risk of falling victim to such malware attacks is more, users should ensure to keep their antivirus updated and exercise basic cyber hygiene.