Threat actors pose as Indian govt. to spread malware laced COVID email attachments

The email orders organizations to review the attachment and submit their plan of action to combat Coronavirus, much similar to APT36's pattern of attack.
Updated on
April 19, 2023
Published on
April 29, 2020
Subscribe to the latest industry news, threats and resources.
In a recent attempt to spread malware, threat actors, posing as Indian government departments, are sending malicious emails to organizations. The email claims to be a follow up to a previous correspondence, and orders organizations to review the attachment and submit their plan of action to combat Coronavirus. The seemingly official language of the email content, makes it seem like a directive from the Home Ministry of India. This tactic coerces victims into opening the malware laced attachments immediately. phishing email Although a fake email address, [email protected] gives victims the impression of a legitimate mail address. However, the actual email address of the Ministry of Home Affairs ends in [email protected]. The email attachment titled Coronavirus_action_plan.docx, as reported by Subex, is found to drop malware into the victim’s system, once opened. 

Similar phishing lure by APT36

A similar incident was reported by Malwarebytes on 16 March, this year, when the alleged Pakistani state-sponsored threat actor group, APT36, posed as the Government of India to send Coronavirus health advisory emails with malicious attachments. Notably, this group is known for targeting the Indian government, its embassies and the defense system. The email attachment contained two malicious macros that dropped the CrimsonRAT payload, to steal credentials from browsers, capture screenshots, list running processes, directories, and drives, and more. 



Indicators of Compromise

Decoy URLs[.]email/?att=1579160420[.]email/?att=1581914657
Decoy documents
  This lure bears a stark similarity with the emergency response plan phishing email, in that:
  • Both the emails are traced back to addresses that impersonate the Indian government, 
  • They have attachments that call for immediate attention and action, and 
  • These emails were sent to victims under the cover of Coronavirus.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations