According to security awareness training and simulated phishing platform provider KnowBe4, the email instructs people to download a malicious attachment and proceed immediately to the hospital, with the particular “social engineering scheme” appearing to come from a legitimate hospital, “which is why it’s so alarming and could trick even a cautious end user”.
The victim of the phishing scam is instructed to fill out a pre-filled Excel form, which KnowBe4 says is actually a macro-laden Office document that serves as a trojan downloader and is currently only detected by a handful of anti-virus applications.
KnowBe4 says this piece of malware has a number of advanced functions that allow it to evade detection by security applications, worm its way deep into an infested system, and serve as a platform for a variety of criminal activities.
“This is a new type of malware that we’re seeing, as it was reported for the first time just a few days ago,” said Eric Howes, principal lab researcher, KnowBe4.
“For the bad guys, this is a target-rich environment that prays on end users’ fears and heightened emotions during this pandemic. Employees need to be extra cautious when it comes to any emails related to COVID-19 and they need to be trained and educated to expect them, accurately identify them and handle them safely.”
To assist organisations in preparing their employees for secure remote working, KnowBe4 says it has developed a short, complimentary COVID-19 Best Practices for Employees video module, available in 10 languages.