Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

COVID-19 Malspam Activity Ramps Up

Back in February, we reported on two Coronavirus-themed phishing emails. But just as the real virus spreads rapidly around the world, so too have the scams. Cyber criminals, proving beyond doubt they are completely devoid of morals, have ramped up their activities, unashamedly using all manner of Coronavirus lures to trick people. We are now seeing dozens of different email campaigns per day. Below are samples collected from our systems that some of what is currently out there.

Sample 1: Coronavirus: Informazioni important su precauzioni

This email is in Italian, directed at a country worst hit by the virus to date.


The Google translation is roughly as follows:

Important information on precautions

Dear Sir / Madam, Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!

Best regards


The attachment is a DOCX Word document “f21203392637.doc” which contains a macro, which when executed leads to malware being dropped onto the system, firstly C:\MyImages\presskey.cmd, which is a simple loader for C:\MyImages\presskey.jse. This malware is known as OSTAP and functions to download the notorious Trickbot, a modular information stealer.


File:        f21203392637.doc
MD5:     27364e982d6e312cabc4761146c6232a   
SHA1:    9569fd971a91da00697df887d1b5ca2054c9f7bc

File:        presskey.jse
MD5:     c2b60205f820384deb77b031cbd9bbc3
SHA1:    63e853ed3a6332cbbb2e105d23e3b6be2452de1d

File:        presskey.cmd
MD5:     7d71ae4c172bf8b3066c695d933293de
SHA1:    04f1cfcd27dfbce7e0ba60c10099e1d6fb4c88e7



This email, purporting to be from the World Health Organization, urges users to check the attachment for “health and preparedness steps”. The attachment is a RAR archive, containing an executable which is Hawkeye, a keylogger and information stealer.


MD5:     78faa018586fdf4687514b612948d5a2
SHA1:    506c5f70924d1e4402b520efe47fcea26b8b6c59

MD5:     34605433544389bfeaf0e04aa02d9bd8
SHA1:    417553ee661efb459276135ba8be80dbbbed2466

Sample 3: Coronavirus disease (COVID-19) outbreak prevention and cure update.

Another sample purporting to be from the WHO, which states it has information on “common drugs to take for prevention and fast cure”. Of course, there are attachments to view, both of which are archives, a RAR and a ZIP, and both contain an executable, which is also Hawkeye.



FILE:       Coronavirus Disease (COVID-19)            
MD5:     534c585c20e1b23184f2130375ce500a   
SHA1:    e0c77de771522382d7bfb14eef76c948156a86c2

FILE:       Coronavirus Disease (COVID-19) CURE.rar            
MD5:     c00499a62e7b03f7ea5ce269351bbe40   
SHA1:    8bf18554535e013ed27c1eb4f695a37ecb50524f

FILE:       Coronavirus Disease (COVID-19) CURE.exe          
MD5:     8983fb4725e345acb1f8daf425a7abe7
SHA1:    129ee2d1d260ea67b4f820e126329004088bb3a8

Sample 4: Supplier-Face Mask

This email claims to be from a manufacturer of face masks that has “started mass production’, and that “demand exceeds supply”. The attachment “Face Mask Quote” contains an executable which is none other than Agent Tesla, a common and readily available keylogging and info-stealing RAT.


Agent Tesla likes to harvest credentials from browsers and other applications and exfiltrate that data via SMTP. To give you an idea of the kind of data that is captured, see the screenshot below:



File:        Face Mask
MD5:     2fe1dc441bb92eb91abe0c6b6e94b1c9
SHA1:    58e8a9cc00d76802e02a7fac207d894d62d5e818

File:        Face Mask Quote.exe
MD5:     c5f220a7ac314a7570d827d4b72a1bfb
SHA1:    9649f2902f36e2708f4870bf4aa84c1b75e19aad

Sample 5: WHO Donate Now

Unlike the others, this email does not contain malware. Again it purports to be from the WHO, and merely asks you for bitcoins to support the cause. At the time of writing, this bitcoin wallet did not have any transactions against it, so hopefully, the campaign was a FAIL for the bad guys.5a_who

Sample 6: Covid -19 Temporary Suspension of Activities

This email, interestingly from ‘’ is badly written and claims:

“Here enclosed official statement on the current situations Globally. See attached upon reviews and Temporary suspension of activities.”


The email has an HTML attachment (as opposed to the HTML message body) WHO-COVID-19 Updates.pdf.HTM which contains php code that retrieves HTML content and crudely attempts to harvest email address and password credentials – in a completely untargeted way.



FILE:       WHO-COVID-19 Updates .pdf.HTM         
MD5:     6b919c935b78a946608fe03576a67abf   
SHA1:    739f0cb4308fb9b2a03e19338f32b9cb506489e7

Sample 7: Transfer Copy

This email claims to be from a supplier in China that, due to Coronavirus, has had delays in releasing payments. The attachment ‘Trnasfer_copy.pdf.z’ is a RAR archive that contains an executable, that is Agent Tesla.



File:        Trnasfer_copy.pdf.z  (RAR archive)
MD5:     861a3c1efda0a3ae06a9f1fe5dec40ff      
SHA1:    da32b1b853dcde26d3eb18d7e96505bfe9a7f9eb

File:        Trnasfer_copy.bat (PE File)
MD5:     ee9c5c7aba58d3f70e52dad1eaf14b61   
SHA1:    a188bf4f4b4c3727163726cd5d9295fd56769766


Cyber criminals increasingly use social engineering techniques like those in these phishing emails to trick victims into infecting themselves with malware. They piggyback on the “tried and true” techniques that have been used by “confidence men” since the dawn of time. Those techniques take advantage of elementary emotions like greed, curiosity, and in these cases, the very valid fear of COVID-19. Fear can make anyone impulsive, but in these times it’s more important than ever to combat the misinformation that might pollute your inbox with facts.

Trustwave Secure Email Gateway (SEG) can detect and block the email scams that are mentioned in this blog.

Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More