Hackers seize on coronavirus fears for fodder in spearphishing, misinformation schemes

Hackers frequently take advantage of crises and current events to tailor their messages better.
A three-dimensional print of a SARS-CoV-2, the virus that causes COVID-19, or coronavirus. (NIH)

As coronavirus infections surge globally, hackers and nation-state actors are weaponizing information about the COVID-19 virus to spread malware and disinformation, according to security researchers and the State Department.

Russian actors, linked with Moscow through “state proxy websites,” for instance, have been using “swarms of online, false personas” to spread misinformation about the new coronavirus online, according to the Global Engagement Center, the State Department section meant to combat information operations around the world.

Some of the fake narratives have allegedly been propagated by official state media, Lea Gabrielle, the center’s special envoy and coordinator, told lawmakers Thursday.

Threat actors have also begun sending messages laced with malicious software to targets in Italy, where coronavirus infections have surged in recent weeks, according to new research unveiled this week from security firm Sophos. The attackers have been sending messages with a Microsoft Word document that appears to contain recommendations for preventing a coronavirus infection, but if targets click through the prompts to enable editing and content, they may very well download a new variant of Trickbot malware.


Hackers frequently send spearphishing emails or run disinformation campaigns that incorporate content about crises or current events, to better trick targets and add urgency to their schemes. In the case of the killing of Qassem Soleimani, for example, actors conducted both phishing and information operations with Soleimani themes.

And although the coronavirus lures in this latest scam may seem legitimate — they appear to parrot World Health Organization recommendations for avoiding infection — the document contains a Visual Basic for Applications (VBA) script, which contains a dropper that can then deliver the Trickbot malware, according to Sophos.

According to Check Point researchers, who have also been tracking the coronavirus spearphishing campaign, the senders’ email addresses are not from official WHO domains. Vigilant targets will be able to spot those differences.

Downloading malware from documents is not the only kind of trick hackers are testing with coronavirus-themed content — last month actors were trying to leverage a spoofed WHO website that prompts victims to enter in their email passwords, according to Sophos research. And some hackers have been sending spearphishing emails to companies in sectors that could be concerned about economic disruption as a result of the coronavirus outbreak, according to Proofpoint research from last month.

Global reach


Sophos Principal Research Scientist Chet Wisniewski warned these kinds of opportunistic hacking campaigns may not be limited to Italy moving forward.

“Whenever there is a topic of public interest like COVID-19 … we see cybercriminals try to manipulate our concern into an opportunity,” Wisniewski said.

The novel coronavirus has killed nearly 150 people in Italy, the second highest death toll outside of China, where the outbreak is believed to have originated, and where tens of thousands of people are believed to be infected. Confirmed coronavirus infections have spread globally, to South Korea, Iran, the U.S., the U.K. and dozens of other countries.

Members of Iran’s parliament as well as current and former top officials there have been infected by COVID-19, according to the Washington Post, which could offer hackers a unique blend of two prime kinds of targets — officials with access to sensitive information and people likely to be looking for answers in times of a crisis.

“The best approach to avoid this type of cyberattack is to turn off macros, be extra cautious about what you click, and delete email that is suspicious or from an unexpected source,” Wisniewski said. “We must stay vigilant and be distrustful of incoming communications during times of crisis and only obtain advice from our public health authorities.”


Twitter said earlier this week it is “not seeing significant coordinated platform manipulation efforts around these [coronavirus] issues,” but that it is working to provide users who search for information on the coronavirus with credible information. Facebook is likewise directing users to local health authorities or the World Health Organization when they search for coronavirus, CEO Mark Zuckerberg said.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts