{
	"id": "eea31130-d883-4c81-9a7b-1ba5a9d6a82c",
	"created_at": "2026-04-06T01:30:11.944011Z",
	"updated_at": "2026-04-10T03:21:05.511666Z",
	"deleted_at": null,
	"sha1_hash": "5141f68eaef5331e5da44f2cc12da81e1ab4d03b",
	"title": "COVID19 pandemic is a field day for cybercriminals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3087518,
	"plain_text": "COVID19 pandemic is a field day for cybercriminals\r\nBy G DATA\r\nPublished: 2020-11-16 · Archived: 2026-04-06 00:36:00 UTC\r\n11/18/2020\r\nBusiness as usual: Criminal Activities in Times of a Global Pandemic\r\nReading time: 9 min (2493 words)\r\nThe beginning of 2020 has been appalling for most parts of the world being affected by Coronavirus disease 2019\r\n(COVID-19). This brought about a change in the everyday life of every individual in every country striving to\r\nsustain their daily tasks while simultaneously preventing further infection. Given this situation, businesses and\r\nschools have opted to transition to a ‘virtual setting’ wherein a job can be done remotely and school discussion as\r\nwell as office meetings can be held via conference calls using applications like Zoom, Skype or Microsoft Teams.\r\nThere has been a surge in demand for platforms for video and audio conferencing, chat and webinar solutions.\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 1 of 14\n\n2018 FIFA World Cup Spam Email Sample\r\nThis upheaval created opportunities for cybercriminals, as they exploit these situations in executing their\r\nmalicious intents. This is not the first time that cybercriminals have taken advantage of the current and significant\r\nevents to lure more victims, as there were instances from the past years that shows how they utilize these\r\nhappenings to spread malware. An example of which was the 2018 FIFA World Cup wherein cybercriminals\r\ncreated a fake FIFA partner website to gain access to victim’s bank accounts and drop a malicious file into the\r\nvictim’s machine.\r\nCOVID-19 Related Phishing Emails\r\nCopy of a legitimate infection heatmap, used by cybercriminals in their fake websites (July,2020)\r\nWith the rise in numbers of people infected by COVID-19 all over the world, cybercriminals work their way to\r\nincrease the number of spam emails and phishing links related to COVID-19 proliferating in the cyberworld as\r\nwell. They even made their cyberattacks more diverse in a way that they not only send spam emails with\r\nmalicious attachments, but also created fake websites with fake COVID-19 related contents for victims to freely\r\naccess like coronavirus-map[.]com(website is already unreachable at the time of writing). Some of these fake\r\nwebsites contain fake information regarding the current world statistics of COVID-19 cases. These fake websites\r\noften contain malicious cryptomining related contents  known as cryptojacking which can harm the user’s system\r\nby utilizing the system’s resources to earn digital money such as Bitcoin for the malicious actor’s gain without the\r\nuser’s consent.\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 2 of 14\n\nWhile some cybercriminals choose to explore new ways with their approach in pursuing their cybercrimes, some\r\nopt to carry on with the old ways like spam emails but with improved contents to make their attacks more\r\nsuccessful.\r\nLike the spam emails from 2018 FIFA World Cup, cybercriminals use and abuse COVID-19 as the subject for the\r\nspam emails that they were sending out. It is noticeable on the following two sample emails below with different\r\ncontents and language used.  It is one of the innovations that cybercriminals do to make their spam emails more\r\ntailored to their targets which increases the chance of a successful attack.\r\nThe first email is geared towards English-speaking individuals while the second email is aimed in targeting\r\nanyone who can understand Italian. At first look, it may seem that these two emails are different considering the\r\nlanguage used, the subjects of the email, and the content of its message. But we can notice that both emails\r\ncontain an attachment - List.arj (24 KB) and Newsletter della COVID-19 Organizzazione mondialle della\r\nsanita.zip(36 KB).\r\nFile attachments\r\nEmail Attachment – RAR Archive\r\nThe attachment to the first email is said to be a list of the victims of COVID-19. However, upon analyzing the file,\r\nit can be easily identified as an archive that contains an executable file – LIST.exe. This is a red flag already as a\r\nfile that claims to be a text file, is an archive that contains an executable file. The attachment from the second\r\nemail looks like a usual archive, but also contains an executable file.\r\nFurther analysis shows that the malicious executable files from the extracted archives are files associated with a\r\nwell-known malware family called GuLoader, that has been existing since way before COVID19. GuLoader is a\r\nknown malware that downloads its payload from cloud services such as Google Drive and Microsoft Drives. It is\r\nthen used to download a remote access trojan (RAT), a malicious program that includes a backdoor for\r\nadministrative control over the target computer. In this case, considering that the files we analyzed came from two\r\ndifferent emails with two distinct targets, the attachment files were identical, which both end up downloading a\r\nParallax RAT.\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 3 of 14\n\nFurther analysis shows that the malicious executable files from the extracted archives are files associated with a\r\nwell-known malware family that has been existing since way before COVID19: GuLoader is a known malware\r\nthat downloads its payload from cloud services such as Google Drive and Microsoft Drives. It is then used to\r\ndownload a remote access trojan (RAT), a malicious program that includes a backdoor for administrative control\r\nover the target computer. In this case, considering that the files we analyzed came from two different emails with\r\ntwo distinct targets, the attachment files were identical, which both end up downloading a Parallax RAT.\r\nControl Backend of the Parallax RAT\r\nParallax RAT is being considered as the “new RAT on the block” which had its first appearance in December\r\n2019. It is a type of RAT that can work across all versions of Windows OS, capable of bypassing detections,\r\nstealing credentials, and executing remote commands like grabbing keystrokes and screenshots. This is a new RAT\r\nbeing offered as a MaaS (Malware-as-a-Service) and it has become a favorite amongst malware criminals as it is\r\nbeing sold in the black market for as low as $65 with a promise of 99% reliability for the service it provides.\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 4 of 14\n\nTelemetry Statistics of RATs utilizing Covid-19 related news to propagate\r\nWhile checking our telemetry statistics for the past 6 months with 58,524 malware samples, aside from Parallax,\r\nthere are several other malware families that leverages COVID-19 related news to entice a large number of\r\npotential victims to open attachments from unknown source. These malware families, most of which are RATs like\r\nRemcos, Nanocore, Netwire, Agent Tesla and other trojans, ranging from least destructive to most destructive, are\r\nunceasingly being distributed through various means like spam emails or as a downloadable file from deceitful\r\nwebsites.\r\nTypical malware during the pandemic\r\nDuring the time of a global health crisis, RATs are the most commonly used tools found in malicious emails.\r\nThose RATs follow a distict pattern. We have taken a closer look at some of the proponents.\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 5 of 14\n\nGeneral Propagation Routine of RAT\r\nRemcos\r\nThe GUI of the Remcos RAT\r\nRemcos was first seen in the wild at the 2nd half of 2016 being promoted as a commercialized RAT at the price of\r\n$58 to $389. It was first used in spear phishing campaigns targeting Turkish organizations. Currently, it is being\r\nsold by a German company called ‘Breaking Security’[2] and  their website advertised it as a legitimate powerful\r\nremote control and surveillance software that can be used to access computers anywhere around the world.\r\nThe current trend for Remcos malware campaigns involved malware authors leveraging new and trending news\r\nworldwide for its phishing emails. Those mails usually  have a pdf attachment. Once opened, this PDF contains a\r\nRemcos RAT dropper which runs a VB Script which in turn will execute the malware. To ensure persistence, a\r\nstartup key is added to the registry.\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 6 of 14\n\nAliases:\r\nRemcosRAT\r\nRemvio\r\nOther reference lines used in previous campaigns:\r\n\"Re: nCoV: Coronavirus outbreak and safety measures in your city (Urgent)\".\r\nSmall Business Grant/Testing Centre Vouchers\r\nSBA Grant/Testing Centre Vouchers\r\nSBA Payroll Protection Program Status\r\nAGENT TESLA\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 7 of 14\n\nAgent Tesla Monitoring GUI\r\nAgentTesla was first seen in 2014 and during the pandemic has been used in attacks that target energy companies.\r\nThis may have been one of the effects of the pandemic where there is a low demand for oil. Before the pandemic,\r\nAgent Tesla the preferred toold for attacks against the oil industry.. Since Agent Tesla is also a commercial\r\nmalware that can be bought on the Dark Web, it has a feature that allows you to monitor or customize the payload\r\nand monitor its targeted victims.\r\nAgentTesla has been modified to be an advanced RAT that can also function as a keylogger and information\r\nstealer that can steal the victim’s Microsoft outlook credentials and other saved passwords in web browsers such\r\nas Google Chrome, Internet Explorer and Mozilla Firefox.\r\nWhat sets AgentTesla apart from other RATs is its added feature of stealing Wifi profiles. Malware actors uses this\r\nfunctionality in using WiFi as a mechanism to spread infection across different endpoints as well as using it as a\r\ngateway for future attacks on the victim’s machine\r\nAliases:\r\nAgenTesla\r\nAgentTesla\r\nOther Email Subjects Used by AgentTesla RAT when sending Phishing Emails:\r\nURGENT INFORMATION LETTER: FIRST HUMAN COVID-19 VACCINE TEST/RESULT\r\nUPDATE Covid19″ Latest Tips to stay Immune to Virus!!\r\n“World Health Organization/Let’s fight Corona Virus together”\r\n\"Attention: List of Companies Affected With Coronavirus March 02, 2020\".\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 8 of 14\n\nNANOCORE\r\nNanocore RAT GUI\r\nNanocore was first seen in the wild in 2013. Its author Thoms Huddleston aka AeonHacks, admitted to developing\r\nand marketing NanoCore on the DarkWeb betweeen 2012 to 2016. He was arrested, but this does not stop the\r\nspread of his creation. It was kept alive and was updated since then. The new version of NanoCore was being sold\r\non unterground markets for as low as $25. Some features included remote surveillance, reverse proxy connection,\r\nplugins and even customer support.\r\nNetwire RAT Source Code\r\nNanocore is a sophisticated RAT that enables the attackers to gain access to details of victim’s machine such as\r\nhostname and operating system. This in turn will let the cyber criminals carry out more malicious activities in the\r\nvictim’s machine like hijacking the web camera and microphone, steal confidential information and more.\r\nWhat sets this RAT apart from other RATs is how difficult it is to detect. Unlike other RAT designed to run in a\r\nspecific way, most of its behavior were similar with that of legitimate applications. Nanocore allows malware\r\nactors to just do anything they want to, once they gain access to a victim machine\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 9 of 14\n\nNetwire\r\nScreenshot of the cybercriminal’s message to the victim\r\nThe NetWire RAT is a malicious tool that emerged in the wild during the first half of 2012. Netwire became\r\nfamous as a RAT hidden in an IMG file (a file extension used by disk imaging software). Since then it has\r\nundergone various modifications that makes it remain stealthy as the years passes by. Like other RATs, NetWire\r\nRAT is offered commercially and can be easily purchased on Dark Web markets, which makes it accessible to\r\nmalware authors. More information about Netwire here:\r\nAliases:\r\nNancrat\r\nNanoCore\r\nOther Email Subjects Used by Nanocore RAT when sending Phishing Emails:\r\n“Covid-19 Urgent Precaution Measures”\r\n\"Coronavirus Update: China Operations\"\r\n\"Fwd: Re: CoronaVirus Express Information\"\r\nVarious wipers / MBR-modifying malware\r\nWipers made their first appearance way back in 2008 when Narilam, a wiper malware, was used in targeting\r\nbusiness and financial software in Iran. Wipers are malicious programs that cause data destruction on its victim\r\nmachine. Unlike other malware whose aim is to achieve some sort of financial gain, wipers’ main motivation is to\r\ndestroy all its targeted files/directory on a system or to replace the content of its target with a malicious content.\r\nAs wipers evolved, malware authors decided to tweak the functionality of wipers and make these kinds of\r\nmalwares to rewrite into master boot records (MBR).\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 10 of 14\n\nCurrently, a “Coronavirus.exe”[3]\r\n is spreading amongst Windows users. This malware’s name is very much\r\nconnected to the COVID-19 pandemic. At first, this malware will drop several hidden helper files and batch files\r\nin a temporary folder in the computer system. Then, while still remaining unnoticed, it will disable Windows Task\r\nManager and User Access Control and place itself inside the Startup registry. Lastly, upon reboot of the victim’s\r\nmachine, a pop-up message box that tells victims to “not wast [sic] your time” because “you can’t terminate this\r\nprocess!” will be executed and won’t be terminated because the task manager was disabled. Meanwhile, the\r\noriginal MBR is being overwritten with a new malicious code.\r\nAnother variant of this MBR-modifying malware was discovered by one of our analysts[4] which at first may\r\nseem to be a simple screenlocker, but unknown to the user, is also a malware infecting the MBR.\r\nThis type of  malware may not be as destructive as the previous malwares we have cited, but this can mislead the\r\nuser into thinking that something is wrong with their system. One COVID-19 themed jokeware will prompt a\r\nmessage box that says “CoronaVirus has stopped working” when executed. This is very likely to cause alarm in\r\nmany users and lead them into thinking that something is wrong with their computers, when in reality, all is well\r\nand the system was never in any danger to begin with. Jokewares may be the least of our worries involving\r\nCOVID-19 malwares circulating the cyber world right now, but it is better to be safe than to be sorry. It may be\r\nmildly annoying to some, but has the potential to launch an organization into full “damage control mode” and\r\ncause some level of disruption.\r\nLooking at the mode of delivery for malware, , there is one thing that stick out:\r\nEven though malware authors take advantage of the current events around the world, most malicious files they\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 11 of 14\n\ncommonly attach to spam emails are part of long-established  and well-known malware families which have  a\r\nhigh infection rate and enjoy broad support and a large user base within the underground community.\r\nAliases:\r\nNetWeird\r\nNetWire\r\nRecam\r\nOther Email Subjects Used by Netwire RAT when sending Phishing Emails:\r\nMalspam claiming to be from Dr Stella Chungong at the WHO\r\nConclusion\r\nJust like in the real world, with proper hand washing, using mask and social distancing, we can prevent becoming\r\na victim of these kind of attacks in cyberworld, through practicing and sharing appropriate cyber-hygiene too such\r\nas:\r\n1. Avoid opening emails, downloading attached files, and clicking on links from unsolicited sender.\r\n2. Disabling macro editing in your Microsoft office setting. You may refer to the instructions here.\r\n3. Always have an updated AV for your protection.\r\nWhile we are still in search for a vaccine that can cure COVID-19 in the real world, cyberworld on the other hand\r\nhas its ‘vaccine’ against these malicious files which is the creation of advanced detections to identify possible\r\nthreats and prevent further infection. Just like G Data’s latest DeepRay Technology that uses artificial intelligence\r\nand machine learning in countering sophisticated attacks from cybercriminals. This ‘vaccine’ in the cyberworld is\r\nwhat will help every individual and organizations to thrive with their work and studies despite the change in their\r\ndaily norms.\r\nIndicators of Compromise\r\nGuLoader\r\n11a834cda4a55c8adb663fbcdd4b1f1018715dd737d3089a731b9840b77e5e76:\r\nDetected as Win32.Trojan.Agent.YIZBCK\r\nRemcos\r\n73c07d1b17e8224996866c53ac95c9c327a1b88f78bef72852ca250016d06c33:\r\nDetected as Trojan.GenericKD.30581682\r\nDeepRay detection: RemcosRAT\r\nParallax\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 12 of 14\n\n0a689281e5c807412fd9fca5f4a2d02f90e149da1ecc16179a09d88fa88eed74\r\nDetected as Win32.Packed.Kryptik.WP03OZ\r\nDeepRay detection: ParallaxRAT\r\nNanoCore\r\n2add0397fccd1c5cfe522530d20e672c47e6259ea625a3338845b1383272c23e:\r\nDetected as Gen:Variant.MSIL.Lynx.52,\r\nDeepRay detection: Nanocore\r\nNetwire\r\ncdd2e26792bd7ee81a6297d13dd514836778620c9bd96e79ae6ee26239c546b1:\r\nDetected as Win32.Trojan.Netwire.C\r\nAgentTesla\r\n484aa9b06abff6b8b07695522b81fc70a8163f466b2aee2076481fab3e57840e:\r\nDetected as Trojan.GenericKD.41932285\r\nDeepRay detection: AgentTesla\r\nWiper/MBR-Rewriting Malware\r\nfba31181ed1957e81c452fa1e860414d3a2bd2da470074a32f196f873a37d9ad\r\nDetected as Trojan.GenericKD.33570587\r\nJokeware\r\n6b61c223d618ead7ca78f4731a0128e30bf602bdfe8d940e442041486cb2fe76\r\nDetected as Gen:Heur.Bodegun.1\r\n Content\r\nCOVID-19 Related Phishing Emails\r\nFile attachments\r\nTypical malware during the pandemic\r\nRemcos\r\nAGENT TESLA\r\nNANOCORE\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 13 of 14\n\nNetwire\r\nIndicators of Compromise\r\nSource: https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nhttps://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire"
	],
	"report_names": [
		"global-pandemic-remcos-tesla-netwire"
	],
	"threat_actors": [],
	"ts_created_at": 1775439011,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5141f68eaef5331e5da44f2cc12da81e1ab4d03b.pdf",
		"text": "https://archive.orkl.eu/5141f68eaef5331e5da44f2cc12da81e1ab4d03b.txt",
		"img": "https://archive.orkl.eu/5141f68eaef5331e5da44f2cc12da81e1ab4d03b.jpg"
	}
}