An outbreak of Coronavirus trojans and scams

Graham Cluley
@gcluley


Recent weeks have seen a spate of scams associated with the Coronavirus pandemic, and there is little evidence of the end being in sight (either of the real-world threat to health or the cybercriminal attacks.)

Amongst other reports, the analysts at Trend Micro have warned of a threat being distributed within a file called Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar.

Of course, filenames are trivial to change – and just watching out for a file with a specific name is not a sensible way to keep your computer malware-free. A better way to protect yourself is to be wary of opening unsolicited files, and to run a recently updated anti-virus program.

Unfortunately, in this case, detection by anti-virus software may not currently be as good as would be normally hoped – perhaps because it is written for the Node.js runtime environment that executes JavaScript code outside of its normal habitat within your web browser.

Sign up to our newsletter
Security news, advice, and tips.

This particular Trojan horse may not be a significant threat for most users, but it has some unusual characteristics which make it noteworthy:

Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.

The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.

The malware has functionality that enables it to download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows systems, but its design and certain pieces of code suggest cross-platform compatibility may be a future goal.

Chances are, judging by the filename that it is using, that the attack may have been part of a Coronavirus-themed attack.


The researchers at Proofpoint have been examining a number of Coronavirus-related phishing webpages, posing as various government and non-government organisations claiming to offer financial assistance in light of the COVID-19 pandemic.

Of course, if you hand over your personal information you’re not going to receive a financial handout from these malicious websites – you’re just going to have your credentials or personal information harvested.

Spoofed organisations include the World Health Organisation (WHO), United States Centers for Disease Control (CDC), Internal Revenue Service (IRS), Canadian Revenue Agency, the UK’s HMRC, and even Westminster City Council.


Meanwhile, IBM’s threat research team says that it has seen updated versions of the Zeus Sphinx banking malware being distributed in Coronavirus-related campaigns.

Spread via email attachments that claim to offer recipients COVID-19 relief payments, the malware steals online account passwords and banking details, redirecting users to bogus websites when they try to visit financial websites.

IBM’s researchers note that Zeus Sphinx has been relatively inactive in recent years, but has been receiving frequent updates of late, with new versions targeting North American banks in particular.

Stay safe folks.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.