Information-stealing trojan now disseminate via COVID-19 phishing email

May 19, 2020
covid-19 covid19 themed phishing scheme attack antiphishing antiphishing solutions

As we are all still suffering COVID-19 lockdown, Cybercriminals will not stop. They are even creating different cybercriminal activities to exploit COVID-19 Pandemic.

A COVID-19 themed phishing scheme was discovered by Microsoft that these cybercriminals use to target business using LokiBot – an information-stealing Trojan.

LokiBot’s principal feature is to record/acquire sensitive data. This Trojan continually tracks the user’s activity (I.e., record keystrokes). A server is controlled by the threat actor to save these recorded and obtained information. This kind of Trojan is being distributed usually via Spam emails and private messaging applications such as SMS, Skype, and malicious website.

The said phishing scheme will protect Microsoft customers that use Microsoft Defender as this newly discovered scheme was discovered via the Microsoft Threat Protection machine.

We have previously reported a COVID-19 themed CDC Email Phishing Scam back in the early month of March. Still, there is a newly discovered COVID-19 themed phishing scheme that is pretending to be from the Centers for Disease Control (CDC) to lure their victims.

In this phishing email, Cybercriminals created an email that provides a “Business continuity plan and management” for COVID-19. The email has the subject: BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020 and a pdf attachment. See below:


covid-19 phishing email image 1


As per the second phishing email that Microsoft discovered, Threat actors pretend to be a vendor that is providing updated banking information to process payment due to the COVID-19 lockdown.


covid-19 phishing email image 2


These newly discovered phishing emails are both has malicious ARJ files attachment are were disguised as PDF files. As per Microsoft Threat Protection, some antimalware scanners skip these archived ARJ Files.

People who will likely fall as victims in this new scheme will have their personal computers exploited with LokiBot. Once the victim opens the attached file, all stored login credentials on their browsers, as well as application passwords, will be promulgated to the Threat Actor’s server.

What to do if you received one?

  • Be attentive. Be wary if you received an email from an unknown source. Make sure you don’t act on the advice you didn’t ask for and weren’t expecting.
  • Use a Security solution. Make sure to install security solutions that automatically detect malicious email attachments and links.


About the author

Leave a Reply