It should come as no surprise that cybercriminals are using the COVID-19 pandemic as a phishing lure. Popular media events always result in new attacks. But with the heightened level of awareness (panic?), end-users are likely more susceptible than usual. GoSecure Inbox Detection and Response (IDR) has blocked several new variants, each with varying levels of complexity to the phishing lure but almost all looking to install a remote access trojan. As remote access trojans (RAT) are known for many nefarious activities (log keystrokes, access the camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the vi desktop, perform process, file, and registry manipulations and more), it’s unknown what the endgame is, but it’s safe to assume it’s nothing good.

In this example, and a commonly used tactic in COVID-19 attacks, the phishing lure purports to come from the World Health Organization (WHO). This one is exceedingly simple in its design, including the continually infamous use of misspellings and poor English grammar.


And, no, Dr. Penelope Marchetti does not appear to be a real person.

Attached to the email is a macro-enabled Microsoft Excel add-in file, COVID-19 Recomendaton_Precaution_Desinfection.xlam (note misspelling of disinfection). By default, Microsoft Outlook is cautious about opening attachments, but other email clients are not as diligent. And most users are unlikely to note the XLAM extension, which they rarely ever see.

Once opened, the XLAM attachment connects to a dynamic web site via dynamic DNS This technique allows the attacker to change the location of the malicious download, thus allowing the campaign to have a longer life. Once connected, the malicious website delivers njRAT, a remote access trojan first observed in 2012. Many variants of njRAT have been created since it’s initial observation. More in-depth analysis by GoSecure indicates this version is the BLADABINDI variant. Even amongst BLADABINDI there are multiple variants as the underlying RAT has a myriad of capabilities. It’s BLADABINDI’s customizability and seeming availability in the underground that makes it a prevalent threat.

Digging into the mechanics of sending this email, the sending domain of reuses the misspelling technique, knowing that most end users won’t notice. Bigger question should be why the WHO is sending email from a non-related domain? Here again, with all the media attention surrounding COVID-19, most users won’t notice or ask. Also, the sending domain does not resolve via a DNS lookup, always an indicator of suspicion.

The use of COVID-19 phishing lures will continue until they are no longer effective. This is just one example that GoSecure has seen, and we will report on others as we have the details. Please consider the mitigation actions noted below to protect your organization immediately. GoSecure Inbox Detection and Response will also protect your users from wherever they view the email.

Mitigation Actions

  • Block DNS lookups to
    • This may impact legitimate DNS lookups
  • Block incoming email from
  • Prevent all email clients from opening XLAM attachments
Détection et réponse gérées Titan
Antivirus de nouvelle génération
Détection et réponse sur les terminaux
Détection et réponse sur le réseau
Détection et réponse sur les boîtes de messagerie
Détection et réponse face aux menaces internes
Gestion des pare-feu
Gestion des SIEM
La gestion des vulnérabilités en tant que service
GoSecure Titan
Logiciel Titan
Sécurité de la messagerie
Sécurité Web
Boîte à outils «Responder PRO Forensics»
Services professionnels
Services de préparation aux brèches
Les services-conseils personnalisés en cybersécurité
Évaluation de la cybersécurité
Services de réponse aux incidents
Services des équipes « Red & Purple »
Services de tests d'intrusion
Services de conformité et d'audit
Évaluation de la compromission de la sécurité
Technologies tierces

Pin It on Pinterest

Share This