Home News “You’re Exposed to Coronavirus” Says Phishing Email

“You’re Exposed to Coronavirus” Says Phishing Email

Phishing Campaign on FINRA

With cybercriminals taking advantage of the Coronavirus pandemic, we continue to see malware attacks, weaponized websites, and phishing attacks to trick people into opening malicious links or attachments.

Recently, a new kind of phishing campaign has been discovered that pretends to be from local hospital authorities informing the recipient that they’re exposed to the Coronavirus and need to be tested, the BleepingComputer reported. In addition, the attackers also claimed, in the email, that they’ve been in contact with the friend, colleague or family member who was tested positive for the COVID-19 virus. It further asked the recipient to print the attached “EmergencyContact.xlsm” document and bring it with them to the nearest hospital for testing.

Malicious Attachments

When users click/download the attachment, they will be prompted to “Enable Content” to view the protected document. This allows malicious macros to be executed by themselves to download a malware executable to the computer.

In its analysis, the BleepingComputer revealed that the malware can perform various malicious operations, which include:

  • Search for and possibly steal cryptocurrency wallets
  • Steals web browser cookies that could allow attackers to log in to sites with your account
  • Gets a list of programs running on the computer
  • Looks for open shares on the network with the net view /all /domain command
  • Gets local IP address information configured on the computer

Cybercriminals trying to benefit from the global epidemic to distribute malicious activity through various spam hacking campaigns.  In a similar phishing attack, a hacker group targeted the World Health Organization (WHO) via a sophisticated phishing attack, which involved an email hosted on a phishing domain that tried to trick the employees into entering their credentials. It’s said that WHO observed the hacking attempt in mid-March and is suspected to have come from DarkHotel, a threat group from Southeast Asia that has been active since 2004.