While the world attempts to take control over the spread of the Coronavirus, and tries to contain, eliminate and prevent it from spreading, hackers around the globe have found the term “Coronavirus” to be a useful vehicle for spreading malware.

The GoogleTrends graph below shows the trend line of the overall search for Coronavirus, along with the number of discussions pertaining to malicious events that employ the virus’s name.

In January and February 2020, the most prominent Coronavirus-themed campaign targeted Japan, distributing Emotet in malicious email attachments. The emails appeared to report where the infection is spreading in several Japanese cities, encouraging the victim to open an attached document for more information. When the document was opened, Emotet was downloaded onto the victim’s computer

Emotet is an advanced, self-propagating and modular Trojan. It was originally a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods to maintain persistence and evasion techniques to avoid detection. It can also spread through phishing spam emails containing malicious attachments or links.

In addition to email campaigns, since the Coronavirus outbreak, we have observed a noticeable number of new websites registered with domain names related to the virus (see graph below):

Many of these domains will probably be used for phishing attempts.

An example of such a website is vaccinecovid-19\.com. It was first created on February 11, 2020 and registered in Russia. The website is insecure, and offers to sell “the best and fastest test for Coronavirus detection at the fantastic price of 19,000 Russian rubles (about US$300)”.

The website also offers pieces of news and a heat map of the Coronavirus spread, but on closer look one can see that it is immaturely designed, providing instructions and comments such as “ a place for a beautiful subtitle” (in English translation).

For a more relevant images and in-depth coverage of this story, check out this blog.