CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

COVID-19 Malspam Activity Ramps Up

Back in February, we reported on two Coronavirus-themed phishing emails. But just as the real virus spreads rapidly around the world, so too have the scams. Cyber criminals, proving beyond doubt they are completely devoid of morals, have ramped up their activities, unashamedly using all manner of Coronavirus lures to trick people. We are now seeing dozens of different email campaigns per day. Below are samples collected from our systems that some of what is currently out there.

Sample 1: Coronavirus: Informazioni important su precauzioni

This email is in Italian, directed at a country worst hit by the virus to date.


The Google translation is roughly as follows:

Important information on precautions

Dear Sir / Madam, Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!

Best regards


The attachment is a DOCX Word document “f21203392637.doc” which contains a macro, which when executed leads to malware being dropped onto the system, firstly C:\MyImages\presskey.cmd, which is a simple loader for C:\MyImages\presskey.jse. This malware is known as OSTAP and functions to download the notorious Trickbot, a modular information stealer.


File:        f21203392637.doc
MD5:     27364e982d6e312cabc4761146c6232a   
SHA1:    9569fd971a91da00697df887d1b5ca2054c9f7bc

File:        presskey.jse
MD5:     c2b60205f820384deb77b031cbd9bbc3
SHA1:    63e853ed3a6332cbbb2e105d23e3b6be2452de1d

File:        presskey.cmd
MD5:     7d71ae4c172bf8b3066c695d933293de
SHA1:    04f1cfcd27dfbce7e0ba60c10099e1d6fb4c88e7



This email, purporting to be from the World Health Organization, urges users to check the attachment for “health and preparedness steps”. The attachment is a RAR archive, containing an executable which is Hawkeye, a keylogger and information stealer.


MD5:     78faa018586fdf4687514b612948d5a2
SHA1:    506c5f70924d1e4402b520efe47fcea26b8b6c59

MD5:     34605433544389bfeaf0e04aa02d9bd8
SHA1:    417553ee661efb459276135ba8be80dbbbed2466

Sample 3: Coronavirus disease (COVID-19) outbreak prevention and cure update.

Another sample purporting to be from the WHO, which states it has information on “common drugs to take for prevention and fast cure”. Of course, there are attachments to view, both of which are archives, a RAR and a ZIP, and both contain an executable, which is also Hawkeye.



FILE:       Coronavirus Disease (COVID-19)            
MD5:     534c585c20e1b23184f2130375ce500a   
SHA1:    e0c77de771522382d7bfb14eef76c948156a86c2

FILE:       Coronavirus Disease (COVID-19) CURE.rar            
MD5:     c00499a62e7b03f7ea5ce269351bbe40   
SHA1:    8bf18554535e013ed27c1eb4f695a37ecb50524f

FILE:       Coronavirus Disease (COVID-19) CURE.exe          
MD5:     8983fb4725e345acb1f8daf425a7abe7
SHA1:    129ee2d1d260ea67b4f820e126329004088bb3a8

Sample 4: Supplier-Face Mask

This email claims to be from a manufacturer of face masks that has “started mass production’, and that “demand exceeds supply”. The attachment “Face Mask Quote” contains an executable which is none other than Agent Tesla, a common and readily available keylogging and info-stealing RAT.


Agent Tesla likes to harvest credentials from browsers and other applications and exfiltrate that data via SMTP. To give you an idea of the kind of data that is captured, see the screenshot below:



File:        Face Mask
MD5:     2fe1dc441bb92eb91abe0c6b6e94b1c9
SHA1:    58e8a9cc00d76802e02a7fac207d894d62d5e818

File:        Face Mask Quote.exe
MD5:     c5f220a7ac314a7570d827d4b72a1bfb
SHA1:    9649f2902f36e2708f4870bf4aa84c1b75e19aad

Sample 5: WHO Donate Now

Unlike the others, this email does not contain malware. Again it purports to be from the WHO, and merely asks you for bitcoins to support the cause. At the time of writing, this bitcoin wallet did not have any transactions against it, so hopefully, the campaign was a FAIL for the bad guys.5a_who

Sample 6: Covid -19 Temporary Suspension of Activities

This email, interestingly from ‘’ is badly written and claims:

“Here enclosed official statement on the current situations Globally. See attached upon reviews and Temporary suspension of activities.”


The email has an HTML attachment (as opposed to the HTML message body) WHO-COVID-19 Updates.pdf.HTM which contains php code that retrieves HTML content and crudely attempts to harvest email address and password credentials – in a completely untargeted way.



FILE:       WHO-COVID-19 Updates .pdf.HTM         
MD5:     6b919c935b78a946608fe03576a67abf   
SHA1:    739f0cb4308fb9b2a03e19338f32b9cb506489e7

Sample 7: Transfer Copy

This email claims to be from a supplier in China that, due to Coronavirus, has had delays in releasing payments. The attachment ‘Trnasfer_copy.pdf.z’ is a RAR archive that contains an executable, that is Agent Tesla.



File:        Trnasfer_copy.pdf.z  (RAR archive)
MD5:     861a3c1efda0a3ae06a9f1fe5dec40ff      
SHA1:    da32b1b853dcde26d3eb18d7e96505bfe9a7f9eb

File:        Trnasfer_copy.bat (PE File)
MD5:     ee9c5c7aba58d3f70e52dad1eaf14b61   
SHA1:    a188bf4f4b4c3727163726cd5d9295fd56769766


Cyber criminals increasingly use social engineering techniques like those in these phishing emails to trick victims into infecting themselves with malware. They piggyback on the “tried and true” techniques that have been used by “confidence men” since the dawn of time. Those techniques take advantage of elementary emotions like greed, curiosity, and in these cases, the very valid fear of COVID-19. Fear can make anyone impulsive, but in these times it’s more important than ever to combat the misinformation that might pollute your inbox with facts.

Trustwave Secure Email Gateway (SEG) can detect and block the email scams that are mentioned in this blog.

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More


We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More