Coronavirus malware roundup: watch out for these scams

Coronavirus Malware

With so many of us hunting out the latest Covid-19 info, it hasn’t taken long for hackers to take advantage.

So first off, a basic hygiene reminder: Don’t download anything or click on any links from unfamiliar sources. This includes coronavirus-related maps, guides and apps.

Here’s a closer look at some of the specific threats that have emerged over the last week or so…

Table Of Contents

Add a header to begin generating the table of contents

Fake maps and dashboards

Several legitimate organizations (e.g. John Hopkins University) have created dashboards featuring interactive maps to illustrate the infection spread.

As reported in TechRadar, Shai Alfasi, security researcher at Reason Labs, has found that hackers have created fake versions of these maps and dashboards in order to steal user information.

These fake sites prompt users to download an app to stay updated. This download activates a malware strain known as AZORult. This is used to steal users’ browsing history, cookies, passwords and more. It can also be used as a gateway to download additional malware onto user machines.


The DomainTools security research team has uncovered at least one example of a coronavirus-related fake app.

The Android app in question was discovered on a newly created domain, (coronavirusapp[.]site). The site prompts users to download an Android App to get access to a coronavirus app tracker, statistical information and heatmap visuals.

The app actually contains a previously unseen ransomware application, dubbed CovidLock. On download, the device screen is locked, and the user is hit with a demand for $100 in bitcoin to avoid content erasure.

Dangerous domains

From January up until around 12 days ago, over 4,000 new coronavirus-themed domains were registered.

According to TNW, 3% of these new domains were flagged as malicious, and a further 5% as suspicious. This is 50% higher than the usual rates for newly registered domains.

Phishing attempts

It’s thought that many of the newly registered coronavirus-related domains have been created as vehicles for phishing attempts.

One notable recent attempt hit almost 10% of organizations in Italy. It sought to trick users into opening a World Health Organization information pack. In fact, the link let loose a banking trojan, designed to steal the recipient's credentials.

Other phishing attempts are targeted specifically at remote workers. In one example highlighted by Mimecast, the hackers scammed recipients with bogus messages, directing them to a fake OneDrive login and inviting them to upload ‘company policies’.

At the time of the initial report, Mimecast had seen more than 300 instances of this campaign.

State-sponsored campaigns

Over the last few weeks, there have been reports of government-backed groups from China, North Korea and Russia capitalising on the outbreak.

A QiAnXin researcher highlighted a campaign by Russian group, Hades, targeting organizations in Ukraine. This involved transmission of a backdoor trojan, disguised in emails purporting to be from the Ukrainian Center for Public Health.

The message is clear: be vigilant of all incoming communications and of unfamiliar sources.

Have you encountered any malicious activity? Let us know below…

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • Arthur Juarez says:

    I enjoy the weekly security updates especially now that the world will transfer into a remote society . I am a returning student with so much to learn.

  • Arthur Juarez says:

    I enjoy the weekly newsletter especially now during this time of danger and vulnerability of fear. (Virus)

  • herpati jaco says:

    My clients always with SPAMS…They do suffer…but have already educated them to not to click on the links nor replying…..
    as always thanks for updating us sir

  • Bradley says:

    Thanks Nathan for keeping us updated

  • Andrew Tunks says:

    Thanks for the info Nathan – I’ve shared to friends on FB.

  • Alishia says:

    Thanks, Nathan for updating us about -Cyber fraudsters are using malware called coronavirus maps, which can compromise your confidential data.

  • >