COVID-19 Used as Bait in Malware Attacks on Industrial Companies

March 14, 2020 by Alessandro Mascellino

Is cybersecurity training part of your company's protocol?

It is important for every company to provide training on how to identify and prevent a malware attack, especially in industrial automation.

Recently, cybercriminals have been targeting users worldwide in an attempt to exploit coronavirus (COVID-19) fears to their own advantage, new data has revealed.

The attacks took the form of phishing email attempts promising various cures, as well as the creation of bogus websites, which cybersecurity company, Trend Micro has defined as potentially-malicious.

As the number of COVID-19 cases keeps surging around the world, so does the use of “coronavirus” and “corona” used for malware names and malicious domains.


a rendering of the coronavirus

A computer rendering of the coronavirus (COVID-19) disease. Image used courtesy of the Centers for Disease Control and Prevention (CDC).


Phishing, Fake Domains, and Malware Attacks

Phishing attempts traditionally involve an attacker sending an apparently legitimate email to a user who clicks on a link within the mail, downloading malicious software capable of stealing information, installing a backdoor or otherwise compromising the system integrity. 

Alternatively, the malicious links contained in such emails could lead to a website where any information the user inputs will be captured by the attacker.

The cybercriminals sending COVID-19-related emails pretended to be official organizations sharing updates and recommendations connected to how to tackle the disease.

Many of them were also related to shipping transactions, and attached files supposedly describing details of the transactions. The files were renamed to trick people into believing they were legitimate, but they actually contained malware.

According to Trend Micro, while this phenomenon was almost global, many of these emails targeted people in the U.S., Japan, Russia, Italy, Portugal, and China. Since the attacks had a global reach, which ultimately affected the industrial automation and manufacturing industry. 


coronavirus map 3.13

Locations with confirmed COVID-19 cases on a global map as of March 13, 2020. Image used courtesy of the Centers for Disease Control and Prevention (CDC). 


These malware attacks could have happened anywhere from large factories to power plants to gas pipelines. The attacks have also been explicitly targeting industries that are particularly susceptible to shipping disruptions.

These included manufacturing, industrial, finance, transportation, pharmaceutical, and others.

The security firm has compiled a comprehensive list of malware names and extensions related to these attacks, and you can find it here.

As for the “coronavirus” domains flagged as potentially malicious, web services firm, Bit Discovery, has found hundreds of them which you can see in the Twitter thread here.


Cybercriminals and Espionage Groups

If some of the attacks seem to be uncoordinated in nature, the rapid increase of COVID-19 cases worldwide also saw government spies try to jeopardize the integrity of entire industries in some countries.

On February 10th, cybersecurity company, Proofpoint, noted how Coronavirus-related email attacks aimed at Japanese-language speakers used AZORult, an information-stealing malware.

More recently, FireEye, another computer security company, revealed that a group of Chinese hackers had targeted users in Vietnam, the Philippines, and Taiwan in the attempt of stealing data using malware. 

The documents attached to the email were real statements by political leaders and official sources, but embedded in them was malicious software that would run as soon as the user opened the files.


Defending Against These Attacks

To prevent risks connected to most of these attacks, avoid visiting any of the websites included in the list above.

You can also take preventative measures by following these guidelines:

  • If you receive emails coming from any of such domains or any other email address you do not know, be extra cautious.
  • Don’t open any attachments or click on any links within the email, just delete it.
  • Keep your devices up to date to avoid unpatched vulnerabilities.
  • Only trust emails from reliable sources for news on important topics.

Even if the attached files seem legitimate, it is worth stretching once again that normal files might still contain malicious software not detected by most antivirus software. In this case, the user won’t be notified, but the malware will still be running in the background, giving the attacker access to your device or data.

These are just a few of the protocols that employees should be trained on upon entering any industry where they are protecting important information.



If your company does not have a cybersecurity training protocol, educate yourself and know the risks to protect yourself and your company from an attack.


Featured image used courtesy of the Centers for Disease Control and Prevention (CDC).