Coronavirus used as bait in attacks on businesses via email

The coronavirus or COVID-19 pandemic has affected businesses around the world, putting particular pressure on organisations that rely on international trade. Cybercriminals around the world have not missed the trend and, as discovered by Kaspersky researchers, started actively using the topic in spreading malware such as backdoors and spyware in the past few weeks.

Phishers have long used emails faking business logistics, such as orders and bookings, in order to target organisations and spread malware in email attachments. The more these emails resemble reality and contain correct information, the better they work in fooling the victims and with the coronavirus outbreak making the headlines daily, scams are only becoming more convincing. Last autumn Kaspersky experts shared research about the RevengeHotels campaign, during which cyber criminals sent out targeted booking emails mimicking various trustworthy organisations and even real people, going on to infect hotel computers and being able to steal clients’ credit card data.

This type of phishing is especially dangerous for employees of organisations that sell goods – they often receive requests for supplies and various orders. It is difficult to determine whether an email is real or not, even for very careful and attentive employees, which is why the number of scams is continuing to grow.

This email informing of postponed order in fact contains spyware detected as Trojan-Spy.Win32.Noon.gen

In the most recent cases, cybercriminals have referred to delivery issues caused by the pandemic: from their supplier in China not being able to produce the products on time, to checking if the victim would be able to fulfill the order that they have agreed to. In some cases, cybercriminals discuss urgent orders and this puts pressure on victims.

The main purpose of these emails is to make the victim open a malicious attachment, ultimately infecting the device and giving cybercriminals remote control or access to the organisation’s system. In order to trigger them to do so, cybercriminals ask victims to check delivery information, payment or order details that seemingly are in the attachment.

The attachment in this ‘urgent order’ is in fact a backdoor that enables remote access to the infected device. Kaspersky products detect it as Backdoor.MSIL.NanoBot.baxo

“Such phishing schemes are not as widespread as the regular ones we usually see, but they are often focused on a specific group of organisations and are quite regularly targeted. The best medicine from such a threat is a good security solution that can detect various threats in attachments and has a database of cataloguing these types of scams. The other piece of advice is remaining calm and attentive to details, and this is something we need to continue doing regardless of any external circumstances,” comments Tatyana Shcherbakova, Kaspersky’s senior web content analyst.

Learn more about different examples of phishing scams targeting organisations on the Kaspersky Daily Blog.

To minimise the risk of your business falling victim to spam and phishing, here are some tips on how to recognise it:

  • Carefully look at the files extensions. If it is an executable file, it is most likely not safe to open.
  • Check whether the company that sent you an email actually exists and look it up in a web search or on social media. If you cannot find any evidence of its existence, reconsider whether you should be working with such firm.
  • Check whether the information in the automatic signature and in the ‘Sent’ field is the same. If it is different, it is likely that the email was sent by a spammer.
  • Remember that cybercriminals can create fake documents by using information about the company they are pretending to be. Even if the information in the official email is the same as on the official resources of the organisation, but you still doubt its safety, reach out to the company in order to get a confirmation of this email having been sent.

Kaspersky also recommends organisations follow these cybersecurity practices:

  • Implement cybersecurity awareness training for your employees to teach them how to recognise phishing emails, so they do not open attachments or click on links from unknown or suspicious addresses. To reinforce skills, regularly conduct simulated phishing attacks.
  • Use a dedicated cybersecurity solution, such as Kaspersky Total Security for Business which includes mail threat protection along with web threat protection, behavior detection and exploit prevention capabilities.
  • Make sure that the security solution, as well as any other software used in a company, is regularly updated.


About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialised security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at