Cybercriminals often use major global events to spread malware and steal data, and the recent coronavirus outbreak is no different.
Security experts from Cofense have identified two phishing campaigns that take advantage of coronavirus concerns to infect devices with the Agent Tesla keylogger.
According to the report, cybercriminals are distributing emails that appear to originate from The Centre for Disease Control (CDC) or the World Health Organisation (WHO). The emails claim the virus is now airborne and that new cases have been confirmed in the victim’s vicinity.
Attached to the messages is a file named "SAFETY PRECAUTIONS", which looks like an Excel document, but is in fact an executable file (.exe) capable of sowing the trojan.
Cofense spotted emails with two different headers:
[EXTERNAL] COVID-19 – Now Airborne, Increased Community Transmission
Attention: List of Companies Affected With Coronavirus March 02, 2020
The email address used to spread the malware is CDC-Covid19@cdc.gov, “thus making it appear as if the sender is really the CDC,” said researchers at Cofense.
“Since news of the coronavirus hit national headlines, many threat actors have played on its infamy to target unsuspecting users.”
“While there are numerous phishing campaigns raving about the latest safety measures, all claiming to be reputable health organisations or doctors, this email differs in its methods, weaponising fear to panic users into clicking malicious links.”
The coronavirus is believed to have originated in the Chinese province of Wuhan. So far, more than 110,000 have been infected and roughly 3,800 have died.
Latest reports indicate the virus has spread to Europe, with Italy the focal point. There are reported cases in Germany, Austria, Croatia, Spain and the UK.