In recent efforts to deliver attacks that abuse the novel coronavirus, threat actors are exploiting workplace concerns about outbreak prevention and shipment delays. Below are two examples sent with the intent of delivering malware.
We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.
The first example uses tactics resembling an ongoing malspam campaign where Excel documents are the primary means of infecting computers with Zloader. The intent is for Zloader to download the banking trojan ZeuS.
The sender comes from the burner email firstname.lastname@example.org.
The second lure spoofs a global logistics company to deliver Nanocore, a remote access trojan (RAT), via attachment. The sender address is 184.108.40.206.
Email links to: http://gbud.webd[dot]pl/images/COVID-19-04-01-2020.IMG
File hash: SHA256: 7b2adf1c8ff725d7dd61b0fdc3ef9e6e3a8bd1b744fd209290a1bf65f9b9acb4
Organizations are being strongly encouraged to overshare information that might safeguard employees during the pandemic. As a result, individuals are primed to expect changes as they relate to their companies. Threat actors need only repackage the messaging associated with past lures to conform with company concerns in a time of coronavirus.
For more intelligence on COVID-19 threats, see our ongoing coverage.