05.04.2020

Spearphishing with the WHO trademark

FortiGuard Labs recently discovered a new COVID-19/Coronavirus-themed spearphishing email sent from [159.69.16[.]177] that uses the World Health Organization (WHO) trademark in an attempt to convince recipients of its authenticity. The email contains the subject line “Coronavirus disease (COVID-19) Important Communication[.]”. It also includes an attachment entitled “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj” that appears to contain additional information, but which in fact is a decoy.

The body of the email contains multiple points about infection control and other suggestions and recommendations, which is obviously a lure to further compel the recipient to continue reading. And in a twisted fashion, the messaging pretends to address misinformation related to COVID-19/Coronavirus. 

While this campaign was first observed on March 27, and based on our telemetry, its distribution is now worldwide. Our analysis of this particular campaign reveals that the following countries comprise the Top 10 sites targeted by this campaign: Turkey (29%), Portugal (19%), Germany (12%), Austria (10%), and the United States (10%) top the list, with Belgium, Puerto Rico, Italy, Canada, and Spain rounding out the top 10 with less than one percent each.

TrickBot main actor?

Researchers from Sophos reported on another spam campaign that impersonated a doctor at the World Health Organization (WHO) to take advantage of the public's fears surrounding the coronavirus pandemic to target Italians. Additional research from Microsoft and Sophos identify TrickBot as a main actor in COVID-19 campaigns. Microsoft said that it has already spotted 76 threat variants using COVID-19 themed lures since these attacks have started, with the TrickBot malware being the most active. 
 

Full story and counter measure recommendations here