Threat Snapshot: Coronavirus-related Lure Examples Across the U.S., Spain, Portugal, and the Netherlands

The Proofpoint research team has tracked malicious activity associated with coronavirus since January 29 and regularly publishes our findings across this blog and our Twitter page. Following last week’s update on the overall threat landscape, this blog serves as a current snapshot and provides additional campaign examples aimed at recipients in the U.S., Spain, Portugal, and the Netherlands. 

Threat Volumes

To date, we have seen over 500,000 messages, 300,000 malicious URLs, 200,000 malicious attachments with coronavirus themes across more than 170 campaigns (and the number continues to increase). These attacks and campaigns are global in scope.

We have seen nearly every type of attack being used with coronavirus themes, including (but not limited to) business email compromise (BEC), credential phishing, malware, and spam email campaigns. Overall, we’ve seen a significant amount of credential phishing in these attacks. The threat actors behind these attacks run the gamut from small unknown actors to prominent threat actors like TA542 (the group behind Emotet).

Recent Notable Campaign Samples Leveraging Coronavirus

Credential Phish: Microsoft Office “COVID-19 Infected Our Staff”

Key Points: This small campaign in the United States primarily targets retail companies and uses concerns about infected staff members to try and lure victims to click. It leads to Microsoft Office credential phishing.


A screenshot of a social media post

Description automatically generated

Figure 1 Microsoft Office Credential Phishing Lure

Summary: This credential phishing campaign uses the subject line “COVID-19 Infected Our Staff” and indicates a “staff member of our company has contracted this deadly disease (COVID-19)” and then encourages the recipient to open/download a malicious attachment to “follow the company’s new protocol.” The malicious attachment links to a webpage that spoofs the Microsoft Office login and asks the user for their credentials.

Malware: Remcos “Your Neighbors Tested Positive”

Key Points: This small campaign targeting energy, construction, and telecoms in the United States uses the subject line "coronavirus update disease (COVID-19) your neighbors tested positive" and has a malicious attachment "receipt.xlsm" that uses macros to download the Remcos remote control tool.

A screenshot of a cell phone

Description automatically generated

Figure 2 "Your Neighbors Tested Positive" Lure with Remcos Attached

Summary: This campaign uses concerns around the possible infection of neighbors as its social engineering hook. The email’s subject line reads, “your neighbors tested positive” and encourages the recipient to open the malicious Microsoft Excel attachment. If the recipient opens the attachment and enables macros, the spreadsheet will download and install Remcos a remote control tool abused by threat actors to gain control over the system.

Malware: GuLoader/Agent Tesla with WHO “Solution” for COVID-19

Key Points: This medium-sized campaign in the United States primarily targets the manufacturing industry but also construction, transportation, healthcare, automotive, energy, and aerospace companies with GuLoader and Agent Tesla. The email spoofs the real address of the head of the World Health Organization (WHO), claims there is a “solution” for “total control” and asks the recipient to “share with all contacts.”

A screenshot of a cell phone

Description automatically generated

Figure 3 Email Offering COVID-19 Solution with GuLoader Attached

Summary: This campaign is similar to ones we saw in mid-February 2020 that spread conspiracy theories around possible cures for COVID-19 and abused the World Health Organization (WHO) brand. In this case, the sender spoofs the real email address of the head of the World Health Organization to make the message appear authentic. The email claims that the WHO has a “solution” for COVID-19 and encourages the recipient to open the malicious attachment for that information and share with “all contacts to ensure rapid control of the epidemic.” The malicious attachment contains GuLoader compressed in .iso format. If the recipient opens and runs the attachment, GuLoader installs Agent Tesla, a Trojan written in Visual Basic that can steal usernames, passwords, and credit card information from the user’s system.

Malware: GuLoader in Spain and Portugal

Key Points: This small campaign weighted towards manufacturing and industrial targets in Spain and Portugal and features GuLoader.


A screenshot of a social media post

Description automatically generated

Figure 4 Spanish Language GuLoader Lure

Summary: This Spanish-language campaign features emails with the subject "Vacuna COVID-19: prepare la vacuna en casa para usted y su familia para evitar COVID-19" (English translation: "COVID-19 vaccine: prepare the vaccine at home for you and your family to avoid COVID-19"). The message body discusses preparation of a homemade COVID-19 vaccine. The recipient is urged to open the malicious attachment titled COVID- 19.exe inside COVID- 19.tar, which is a .tar file that contains a compressed version of GuLoader. GuLoader is a recently developed and now-popular downloader written in Visual Basic (VB) 6.0.

Credential Phish: Anti-bacterial Debit Card (Netherlands)

Key Points: This small campaign in Dutch has targeted manufacturing, technology, and industrial companies in the Netherlands and is designed to steal banking credentials.