COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication [anomali]

Threat actors are utilizing the global spread of COVID-19 (Coronavirus) to conduct malicious activity. As the world responds to this threat in various ways, actors are attempting to use the chaos to their advantage. COVID-19 is being weaponized for scare tactics by threat actors for conducting malicious activity utilizing different Tactics, Techniques, and Procedures (TTPs). While the majority of observations made by Anomali Threat Research (ATR) are commodity (purchasable and widely distributed) campaigns and malware. ATR identified that the Higaisa and Mustang Panda Advanced Persistent Threat (APT) groups have been utilizing Coronavirus-themed lures in their campaigns.

In addition to machine-targeted campaigns, ATR also identified COVID-19-themes targeting Android mobile devices. One of the samples is utilizing a fully functional Coronavirus infection-tracking application while the SpyNote Remote Access Trojan (RAT) runs in the background. Another is a phishing campaign that uses a fake Adobe Flash update and COVID-19 related URLs to install the Cerberus banking trojan. While some of these malware are commodity and may be more obvious malicious attempts, actors will likely continue to abuse these themes to install various malware families, some of which will be discussed below.


The current activity being reported on open sources consists of threat actors using COVID-19 as part of phishing campaigns, both in email subject and content as well as attachments.[1] These kind of virus-themed campaigns began almost immediately after the 41 cases of COVID-19 were reported on by the World Health Organization on December 31, 2019.[2] By January and February 2020, Coronavirus-themed lures were widespread with assistance from the Emotet botnet.[3] The malware used in these campaigns can vary because many distribution methods are offered for purchase and utilized by numerous actors, however, there have been some instances of Advanced Persistent Threat (APT) actors attempting to capitalize on the COVID-19 outbreak.

In mid-March 2020, Check Point Research published their findings regarding a campaign targeting the Mongolian public sector utilizing Coronavirus-themed lure documents.[4] This RTF activity also coincides with RTF activity identified by ATR.[5] APTs frequently use relevant themes as lures, and ATR has also identified such groups attempting to capitalize on Coronavirus-related events.

For more, click here.