New Phishing Attack Tells Recipient They May Have Contracted COVID-19

  • Laying the trap perfectly, the email asks the recipient to take a print of the attached, and malware-loaded, document.
  • An analysis of the malware capabilities revealed that the malware can search for and steal information related to cryptocurrency wallets.

Researchers recently uncovered a new phishing campaign that is quite sensitive in nature looking at the rising cases of COVID-19 patients. 

What happened?
In this campaign, the phishing emails pretend to be from a local hospital informing the recipient that they were exposed to the Coronavirus and that immediate testing needs to be done.

  • The threat actor’s email tells the recipient that they may have been in contact with a friend, colleague, or family member who was tested positive for the COVID-19 virus.
  • Laying the trap perfectly, the email then asks the recipient to take a print of the attached EmergencyContact.xlsm, the malware-loaded document.
  • Attackers also instruct them to bring it with them to the nearest emergency clinic to get the testing done.

How does it work?
A user is prompted to click on 'Enable Content' to view the protected document attached to the email.

  • Enabling content activates the malicious macros and malware gets downloaded on the system.
  • This executable now affects numerous processes running on the legitimate Windows msiexec.exe— a Windows Installer Component and is used to install new programs.
  • This helps the malware hide its presence while potentially evading detection by security programs.

How can malware harm a compromised system?
An analysis of the malware capabilities revealed that the malware can:

  • Search for and steal cryptocurrency wallet information.
  • Get a list of programs running on the computer.
  • Get local IP address information configured on the computer.
  • Look for open shares on the network with the net view /all /domain command.
  • Steal web browser cookies that could allow attackers to log in to sites with your account.

As a recipient, what to do?
The Coronavirus pandemic-related scams are on the rise. Threat actors are trying to capitablize on the fear and anxiety the disease has provoked in people around all corners of the world. Here’s what one can do to stay safe from such scams:

  • Be careful of any Coronavirus-related emails received, and do not open any attachments unnecessarily.
  • Always lookup for the contact number for the alleged sender. If necessary, contact the sender via phone to confirm the content in the email and any attached documents.
  • On the other side, anyone looking for the latest trustworthy news updates on Coronavirus should go to the sites for the CDC, WHO, or their local health department rather than risking to open an email attachment from a stranger with zero validity.