COVID-19 Vaccine Cyber-Attacks Both Steal Credentials & Also Spread Zebrocy Malware!

COVID-19 Vaccine Cyber-Attacks Both Steal Credentials & Also Spread Zebrocy Malware!

Cyber-criminals are using the recent rollout of the COVID-19 vaccines globally in various cyber-attacks – from stealing email passwords to distributing the Zebrocy malware.

These Cyber-criminals are targeting the impending rollout of COVID-19 vaccines with simple phishing scams, all the way up to sophisticated Zebrocy malware campaigns.

Media Attention

Security researchers with KnowBe4 commented that the recent number of vaccine-related cyber-attacks use the widespread media attention around the development and distribution of COVID-19 vaccines – as well as recent reports that manufacturers like Pfizer may not be able to supply additional doses of its vaccine to the US large volumes until sometime in Q2.

These lures continue to play into the emotions of victims during a pandemic – something seen in various phishing & malware campaigns throughout the last year.

“Malicious actors had a ‘field day’ back in March in April as the Coronavirus washed over countries around the world,” observed Eric Howes, with KnowBe4, in a Wed. post. “It was & still is the perfect tool for social engineering scared, confused, & even downright paranoid end users into opening the door to your organisation’s network.”

Zebrocy Malware Lures

Researchers with Intezer recently discovered a new Zebrocy malware sample in a campaign that has the signs of a COVID-19 vaccine lure. In Nov., researchers uncovered a Virtual Hard Drive (VHD) file (VHD is the native file format for virtual hard drives used by Microsoft’s hypervisor, Hyper-V) uploaded to Virus Bulletin.

This VHD file included a file that suggests cyber-criminals behind the attack using a COVID-19 vaccine-related spear-phishing lure. This PDF file consisted of presentation slideshows about Sinopharm International Corporation, which is a China-based pharmaceutical company currently working on a COVID-19 vaccine.


Sinopharm International Corporation’s vaccine is currently undergoing Phase 3 clinical trials but it has already been distributed to nearly 1m people.

The 2nd VHD file, pretending to be a Microsoft file, was a sample of Zebrocy written in Go. Zebrocy (also known as Sednit, APT28, Fancy Bear, & STRONTIUM), a malware used by the threat group Sofacy, operates as a downloaders & collects data about the infected host that is then uploaded to the command-&-control (C2) server before downloading & executing the next stage.

Researchers noted that the C2 infrastructure linked to this campaign seems new.


Researchers warn that the attackers behind Zebrocy will likely continue to utilise COVID-19 vaccines as a lure:

“Given that many COVID-19 vaccines are about to be approved for clinical use, it’s likely that APTs (Advanced Persistent Threat) & financially motivated threat players will use this malware in their attacks,” they commented in a Wed. post.

‘Fill Out This Form’

A recent phishing scam seen by researchers tempts victims into “fill out a form” to get their vaccine. In reality, they are targeting email credentials. Eric Howes, principal lab researcher at KnowBe4explained that researchers “saw a very small number of emails” connected to the campaign, which all went to .EDU email addresses.

“I doubt this particular email was very targeted, so it’s entirely possible – even likely – that plenty of other organisations received copies of that email,” stated Howes. “Just how many, we do not know.”


The emails say, “due to less stock covid-19 vaccine & high increase demand of the Covid-19 vaccine distribution within the USA,” they need to fill out a form in order to get on the vaccine distribution list.

The email, titled “FILL OUT THE FORM TO GET COVID-19 VACCINE DISTRIBUTE TO YOU,” has many red flags – including grammar errors & a lack of branding that could make it appear legitimate.

However, Howes observed that “desperation, fear, curiosity & anxiety” could cause recipients to ignore these red flags & move forward in clicking the link.

Red Flags

“Given that we’re now 9 months into the pandemic in the US, people are weary & looking for a way out,” he outlined. “Even though this email was not as polished as it could have been, when recipients are highly motivated to learn more about the announced subject of an email, those kinds of obvious red flags can be ignored or not even noticed.”

Should a recipient click on the link provided to what is purported to be the “PDF form,” they are redirected to a phishing landing page that pretends to be a PDS online cloud document manager.


The site (pdf-cloud.square[.]site), which is still active at time of writing, asks users for their email address & password in order to sign in.

This attack builds on recent related COVID-19 vaccine phishing emails from earlier this month, including on that tells recipients to click a link in order to reserve their dose of the COVID-19 vaccine through their “healthcare portal.”

COVID-19 Campaigns

Researchers warn that cyber-criminals will continue to use the rollout of the COVID-19 vaccine in various new ways.

For instance, just this week Europol, the European Union’s law-enforcement agency, issued a warning about the rise of vaccine-related Dark Web activity.

This month a sophisticated, global phishing campaign has been targeting the credentials of organisations associated with the COVID-19 “cold-chain” – companies that ensure the safe preservation of vaccines by making sure they are stored and transported in temperature-controlled environments.

Sputnik V

COVID vaccine manufacturer Dr. Reddy’s Laboratories was forced to shut down factories in Brazil, India, the UK & US in late Oct., which were contracted to make the Russian vaccine “Sputnik V.”

The APT group Dark Hotel targeted the World Health Organization last March, in an attempt to steal any information they could find related to tests, vaccines or trial cures.


“With these recent phishing lures, it’s clear that COVID-19 themed attacks are still a threat & we might see more as vaccines become available to the general public,” explained Intezer researchers.

“It’s important that companies use defence-in-depth strategies to protect against threats. Employers should also ensure employees are trained on detecting & reacting to phishing attempts.”