Threat Signal Report

US-CERT Alert on Coronavirus/COVID-19 Scams

description-logo Description

Today, US-CERT issued an alert to the public to be aware of various Coronavirus/COVID-19 related scams. This culminates several weeks of high profile global news cycles that have dedicated coverage to the Coronavirus/COVID-19 health emergency.

What are the specifics of the alert?

The alert today was broad in scope; and is an informational piece designed to emphasize the importance of how to identify such scams and to be hypervigilant when receiving such mailings.

Was there any malware or indicators of compromise shared in this alert by US-CERT?


Has there been any malware campaigns leveraging the Coronavirus/COVID-19 issue observed?

Yes. FortiGuard Labs has observed multiple families and campaigns over the past few weeks, such as Emotet, Trickbot, Lokibot and some attacks by nation states to name a few. It is safe to surmise that all threat actors who use social engineering attacks in their arsenal will leverage the Coronavirus/COVID-19 scare in some form or another.

How serious of an advisory is this?

Medium. This is due to the fact that threat actors are constantly identifying ways of infecting organizations and individuals. As the Coronavirus/COVID-19 issue continues to dominate the global news cycle, we can safely assume that bad actors will continue to leverage the fear and coverage on this issue to lure and trick unsuspecting victims. This includes opening attachments that contain malware and stealing any other personally identifiable information (PII) via phishing and spearphishing attacks.

Any suggested mitigations?

FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment.

In the meantime, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could help prevent initial access into the network.

For further information on several recent Coronavirus/COVID-19 campaigns discovered by FortiGuard Labs, please read our latest blog:

Attackers Taking Advantage of the Coronavirus/COVID-19 Media Frenzy


Spearphishing Attachment

ID: T1193

Tactic: Initial Access

Platform: Windows, macOS, Linux


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.