AhnLab Security Center


Cyberattacks Exploiting COVID-19 Continue...


As health care workers battle with COVID-19 pandemic in the frontline to keep people safe, security professionals continue to combat coronavirus related malware to secure the cyber world. Government and health officials have been publishing guidelines to prevent the virus, and it comes as no surprise that hackers have been exploiting it once again. ASEC (AhnLab Security Emergency-response Center) analysts have analyzed the latest COVID-19 related malware. 



AhnLab’s security experts have been continuously analyzing COVID-19 related malware. According to ASEC analysts, malware distribution began in late February. Malware, disguised as COVID-19 relevant information, were distributed through attachment files in spearphishing emails. Although the earlier malware versions were found to be a test or a mere prank, the later versions got more serious. It started to take the form of malicious threats, such as backdoor and downloader.


Malware Disguised as a COVID-19 Prevention Handbook

File Name: Medidas Preventivas contra el COVID-19.doc

MD5: 6862a4ed7c8e3341fed411245028b35b

Alias: W97M/Downloader


Hackers have been disguising as COVID-19 relevant information as a way to distribute malware. In the recent attacks, a malware disguised as a COVID-19 prevention handbook has been discovered. It may seem harmless but is, in fact, malicious. The document is written in Spanish, as shown in Figure 1.


Figure 1. Malicious Document Disguised as COVID-19 Prevention Handbook


 COVID-19 Related Macro Malware

File Name: Relação de Hotéis e Hospedes - Estado afetado pelo COVID-19 (Novo Corona vírus).pps

MD5: 90e495357a4c9a4bb1e9cab4b9664367

Alias: Downloader/Ppt.Generic


Another type of malware have been found in a malicious PowerPoint (PPT) file. Once executed, a macro code, shown in Figure 2, will automatically run a VBS script in hxxps://omecanism2.sslblindado.com/coronavirus.mp3 through mshta. AhnLab’s anti-malware product, V3, blocks the relevant malware using the alias, Malware/Win32.RL_SpyGate.



Figure 2. Malicious Macro within COVID-19 Related Document


COVID-19 Related Worm Malware

File Name: Covid 19.lnk

MD5: ba3f0d0603a030fd64f5d15fc14ed34e

Alias: LNK/Runner


The last type of malware discovered by ASEC analysts was a LNK file disguised as a folder icon. Once executed, it will run the Manuel.doc file, which is an encoded VB script. It then opens the COVID-19 folder to trick the user into believing that the LNK file is a real folder.  This malware is similar to Forbix worm malware and can perform additional malicious behavior depending on the executed scripts.


To prevent damage from malware disguised as COVID-19 related information, users must follow basic security measures: ▲ Always check the email recipient before taking further actions ▲ Avoid opening files attached to emails from unknown or suspicious sources ▲ Install the latest security patch for programs such as OS, Internet browsers, application programs, and office software ▲ Keep anti-malware, such as V3, versions up to date.