Coronavirus malware roundup: watch out for these scams

With so many of us hunting out the latest Covid-19 info, it hasn’t taken long for hackers to take advantage.

So first off, a basic hygiene reminder: Don’t download anything or click on any links from unfamiliar sources. This includes coronavirus-related maps, guides and apps.

Here’s a closer look at some of the specific threats that have emerged over the last week or so…

Fake maps and dashboards

Several legitimate organizations (e.g. John Hopkins University) have created dashboards featuring interactive maps to illustrate the infection spread.

As reported in TechRadar, Shai Alfasi, security researcher at Reason Labs, has found that hackers have created fake versions of these maps and dashboards in order to steal user information.

These fake sites prompt users to download an app to stay updated. This download activates a malware strain known as AZORult. This is used to steal users’ browsing history, cookies, passwords and more. It can also be used as a gateway to download additional malware onto user machines.


The DomainTools security research team has uncovered at least one example of a coronavirus-related fake app.

The Android app in question was discovered on a newly created domain, (coronavirusapp[.]site). The site prompts users to download an Android App to get access to a coronavirus app tracker, statistical information and heatmap visuals.

The app actually contains a previously unseen ransomware application, dubbed CovidLock. On download, the device screen is locked, and the user is hit with a demand for $100 in bitcoin to avoid content erasure.

Dangerous domains

From January up until around 12 days ago, over 4,000 new coronavirus-themed domains were registered.

According to TNW, 3% of these new domains were flagged as malicious, and a further 5% as suspicious. This is 50% higher than the usual rates for newly registered domains.

Phishing attempts

It’s thought that many of the newly registered coronavirus-related domains have been created as vehicles for phishing attempts.

One notable recent attempt hit almost 10% of organizations in Italy. It sought to trick users into opening a World Health Organization information pack. In fact, the link let loose a banking trojan, designed to steal the recipient’s credentials.

Other phishing attempts are targeted specifically at remote workers. In one example highlighted by Mimecast, the hackers scammed recipients with bogus messages, directing them to a fake OneDrive login and inviting them to upload ‘company policies’.

At the time of the initial report, Mimecast had seen more than 300 instances of this campaign.

State-sponsored campaigns

Over the last few weeks, there have been reports of government-backed groups from China, North Korea and Russia capitalising on the outbreak.

A QiAnXin researcher highlighted a campaign by Russian group, Hades, targeting organizations in Ukraine. This involved transmission of a backdoor trojan, disguised in emails purporting to be from the Ukrainian Center for Public Health.

The message is clear: be vigilant of all incoming communications and of unfamiliar sources.

Scroll to Top