Analysts studying CoronaVirus-related phishing and malware threats in malicious emails reveal four major topics abused by hackers: news, medical, financial, and regulatory. In the first phases of the Corona pandemic, hackers were mostly disguising their malicious emails as general news and medical information with the most common keywords being “update” and “affected.” When Summer 2020 (June-July) arrived, the dominating attack theme became “financial” and the leading keyword became “payment.”
Media reports about the new CoronaVirus infection started to pop up in January 2020. As this biological threat turned into a pandemic, the Spring of 2020 saw a huge spike in related cyber activities. For example, according to Google, they were blocking ‘daily’ 18 million malware and phishing emails related to COVID-19 in addition to more than 240 million COVID-related daily spam messages (Figure 1). As of Summer 2020, the CoronaVirus and COVID-19 remain in the news, and hackers continue to abuse these topics for their advantage.
Figure 1. Google’s blocked email statistics for mid-Spring 2020
In our Red Sky Alliance research, Red Sky Alliance analyzes malicious email header keywords and four major topics abused by hackers: 1.) Financial, such as related to COVID-19 related relief payments. 2.) News, such as alleged fresh COVID statistics. 3.) Regulatory, such as pretending to deliver government regulation information. 4.) Medical, such as promising to deliver masks, PPE, vaccines, test kits.
Figure 2. Typical COVID-related malicious email from July 2020
A typical malicious email from July 2020 with a COVID-related topic can be seen on Figure 2. This email leverages financial (“pandemic relief payment”) and governmental themes to force users to open and enable malicious MS Office attachment, that is programmed to download a second-stage executable file.
For this study, we analyze emails that were detected as malicious by at least 2 antivirus engines. CoronaVirus-related emails written in English were detected by automated string matching with following manual proofing by a Red Sky Alliance analyst. The most common string was “COVID-19.” Less common were, “CoronaVirus” and other similar ones. Theme and keyword frequency in the malicious email headers were mostly accomplished in the subject line. The information from other fields was also used when available (such as Sender information). As one email often had more than one keyword and sometimes more than one theme (for example, combination of financial and regulatory), the sums of the trending shares in each case were larger than 100 percent.
Early Pandemic Trending
Figure 3. COVID-related malicious email header keyword type trending
For early pandemic trending, the most common malicious email theme trending was News (68%) followed by Medical (21%). Financial and regulatory themes were less frequent, at approximately 7% each (Figure 3).
Figure 4. COVID-related malicious email header keywords early trending
Consistent with theme trending, keyword trending early on showed the most common keyword being “affected” and “update” as in update on the current situation/news update. Some of the other trending News keywords included “vessel,” “urgent,” “China,” “new,” “memo,” and “Trump” (Figure 4).
Summer 2020 Trending
Figure 5. COVID-related malicious email header keywords current trending
During the first two months of Summer 2020, the most common COVID-related malicious email theme trending became Financial (64%). News that was the main abused category early in the pandemic now moved down to second place with 38 percent. “Regulatory” rose to 23 percent as hackers often pretend to deliver requests from government agencies. Finally, the relative share of malicious emails pretending to deliver medical information went down to 9 percent (see Figure 3 above).
Specific trending keywords for Summer 2020 are also mostly financial: “payment,” “assistance,” “relief,” “order,” “tax” (Figure 5). We see a dramatic change in the trending keywords: after we remove common strings such as “COVID-19” only generic social engineer keywords such as “urgent” and “new” remain the same between top trends early in the pandemic and now (Figures 4,5).
Hackers routinely exploit current news and they started to send CoronaVirus-related malicious emails earlier this year pretending to deliver new prevention and statistical information. But as people now worry about pandemic relief payments and tax situation, hackers were happy to switch to these financial topics; and continue to do so.
Note: This research was first presented on 30 July 2020, Red Sky Alliance’s Cyber Threat Briefing (CIB) online video conference. It was accompanied by additional trending on July COVID-related malicious email malware detections, COVID-related malicious URIs trending, and a separate talk on Chinese hackers indicted for targeted firms working on COVID-19 vaccines.
Please find the attached list of indicators – hashes of the COVID-related malicious emails:
Report Date: 20200807
Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
- Twitter: https://twitter.com/redskyalliance
 CIB video recording available: https://register.gotowebinar.com/recording/1949336668119926787