Vigilante found several malicious campaigns emanating from threat actors in the underground economy, which are targeting Canadian citizens who qualify for economic relief from the COVID-19 pandemic under Canada’s Economic Response Plan. Vigilante notes and documents below the various “Malspam” email campaigns built around the themes of relief fund efforts, tax refunds, employee “COVID-19 violations”, World Health Organization (WHO) statistics and general information, including schemes targeting healthcare and supply chain industries with promises of medical supplies and personal protective equipment (PPE) for sale.

The emails appear to come from legitimate senders and contain some form of convincing verbiage, seemingly legitimate links, and typically an attachment of some kind, all seeking to entice victims to click on links and open attachments, which, upon clicking or file execution (and likely macro enabling) would deliver a malicious payload designed to install malware to compromise the victim’s computer. (Figures 1-4)


Primary Attack Vector

Figure 5: Malicious SMS Spam Campaign

Vigilante notes that the primary attack vector for COVID-19-themed mobile malware distribution is through the use of wide-spread SMS spam campaigns. One of the campaign themes in question (Figure 5) promises free surgical masks to all Canadian households, which victims may receive by visiting a fake website built to resemble an official Red Cross website, complete with a convincing URL.

Once visited, the fake website is believed to deliver malicious code, likely for banking fraud purposes. Vigilante identified a banking trojan for Android-based operating systems (Faketoken) used in a recent and similar campaign, which buoys the confidence in our assessment.

Vigilante further highlights that Canadian citizens and businesses are being targeted by various malicious email and social media campaigns (platform agnostic) touting the promise of government financial assistance to obtain personally identifiable information (names, emails, phone numbers, etc.) to further defraud victims. These campaigns are also doubling down on work-from-home scams, COVID-19 equipment reselling scams, and government financial assistance scams.

Vigilante assesses with moderate confidence that threat actors and threat actor groups will increase their targeting of larger organizations that are slated to receive relief aid or bailout funds; Vigilante notes that the attack vectors for larger organizations would be consistent with similar, existing campaigns previously mentioned, but efforts to compromise individuals within these organizations, and company infrastructure will be intensified.