This document summarizes Trend Micro's findings on cyber threats related to the COVID-19 pandemic from March 1-27, 2020. The majority (69.5%) of COVID-19 related malicious URLs detected were hosted in the US, China, UK, Netherlands, and Germany. Most threats took the form of spam emails (65.7%) using coronavirus-themed lures like shipment notifications or health ministry updates. Emotet malware was prominently used in these campaigns. The number of threats is expected to grow as cybercriminals increasingly exploit pandemic fears. Trend Micro recommends multilayered security defenses to protect against these evolving threats.

2. CORONAVIRUS-RELATED THREATS
BRIEF SUMMARY as of March 27
This global health crisis continues to cause major impact to business, markets and
economy. As seen over time, global events such this automatically translates to a series
of online exploitations by the cybercriminals.
As the virus intensifies in volume and scope, so does the wave of threat attacks and
campaigns that use it as bait.
Trend Micro Research monitors this attack and this brief summary summarizes all our
findings. This will be updated regularly as new threats are discovered and critical updates
are released.

3. Scope of COVID19 Threats Discovered as of March 25
69.5%
22.9%
7.6%
Data as of March 26, 11PM EDT
Map of threats using COVID-19

4. © 2020 Trend Micro Inc.4
01
Top countries hosting
COVID-19 related
malicious URLs
*Note that the detection numbers represent the coverage of our Smart Protection Network sensors, which have
limited global distribution.

5. © 2020 Trend Micro Inc.5
01
Types of malicious URLs
*Note that the detection numbers represent the coverage of our Smart Protection Network sensors, which have
limited global distribution.

6. © 2020 Trend Micro Inc.6
01Top countries
targeted by spam
emails connected to
COVID-19
*Note that the detection numbers represent the coverage of our Smart Protection Network sensors, which have
limited global distribution.

7. © 2020 Trend Micro Inc.7
01
Top countries with
malicious file detections
(with "covid" or "covid19" in the file name)
*Note that the detection numbers represent the coverage of our Smart Protection Network sensors, which have
limited global distribution.
This data reflects findings from March 1-27 2020

8. © 2020 Trend Micro Inc.8
01EMOTET
was prominently used
in coronavirus
campaigns
Emotet was discovered 2014 from a known
as a banking malware variant that stole data by
sniffing out network activity evolved more complex
form acting as a loader for other malware families
EMOTET Infection Diagram for the recent wave of attacks

9. © 2020 Trend Micro Inc.9
01SPAM: top method to
deliver attacks on
enterprises
Top 2 Spam Samples
• Shipment Notification
• Coronavirus Ministry of
Health Updates
65.7%

10. © 2020 Trend Micro Inc.10
01
Expected growth in
EMAIL SCAM
proliferation
Top Emerging Techniques
1. Targeting specific countries,
including China and Italy
2. Business Email Compromise
3. Cruel ransomware
4. Sextortion-related scamsFigure 7 Source Bleeping Computer
Coronavirus extortion email spam
BEC email taken from bleepingcomputer.com

11. © 2020 Trend Micro Inc.11
INFO-THEFT THROUGH CORONAVIRUS
INTERACTIVE MAP
An interactive coronavirus map was used to spread
information-stealing malware.
MALICIOUS MOBILE APPLICATION
A mobile ransomware named CovidLock
comes from a malicious Android app that
supposedly helps track cases of COVID-19.
Snapshot John Hopkins Interactive Map
Threat actors exploit the public’s need for information about Covid-19 to
distribute malware.

12. © 2020 Trend Micro Inc.12
01DEFENSE AGAINST
THESE THREATS
Trend Micro endpoint solutions such as the Smart Protection
Suites and Worry-Free™️ Business Security detect and block
the malware and the malicious domains it connects to.
As an added layer of defense, Trend Micro™ Email
Security thwarts spam and other email attacks. The protection
it provides is constantly updated, ensuring that the system is
safeguarded from both old and new attacks involving spam,
BEC, and ransomware.
Trend Micro™ InterScan™ Messaging Security provides
comprehensive protection that stops inbound threats and
secures outbound data. It blocks spam and other email
threats.
A multilayered protection is also recommended for protecting
all fronts and preventing users from accessing malicious
domains that could deliver malware.

13. © 2020 Trend Micro Inc.13
DEVELOPING STORY : CORONAVIRUS
Threats and Campaigns
Official landing page for all threat and security
findings related to this virus
2020 PREDICTIONS: “Home offices will redefine supply chain
attacks”
GET MORE INFORMATION
Fundamental security practices and guidance for
employees/organizations and consumer /families how
conduct business safely online
WORKING FROM HOME GUIDE

14. TWITTER
https://twitter.com/TrendMicroRSRCH
BLOG
https://blog.trendmicro.com/trendlabs-security-intelligence/
SECURITY NEWS
https://www.trendmicro.com/vinfo/us/security/news/