
State Sponsored Chinese Hackers Leverage Coronavirus Pandemic to Send Malware with Fake Press Briefings
Cyber security researchers at Check Point have discovered yet another malware attack disguised as official communications surrounding the Coronavirus pandemic. In this latest COVID-19 themed cyber attack, the hackers behind it are a Chinese Advanced Persistent Threat (APT) Group known as Vicious Panda. The RAT malware used in this attack can create or delete directories, and move, delete, or download files. It can also take screenshots of your computer screen and send them back to hackers.
Because of the Coronavirus, COVIS-19, pandemic that is rapidly spreading across the world, hackers are taking advantage of people’s concerns. There have been multiple new email phishing campaigns sending malware to those seeking information about COVID-19. All the of the emails have been disguised as supposedly official communications from organizations like the World Health Organization and various governments. No country is immune from these attacks.
This malware attack sends two weaponized text documents to deliver a new, never seen before malware which targeted a public sector entity of Mongolia. The hacking group expanded the cyber attack to countries across the globe – including Ukraine, Russia, and Belarus.
According to CheckPoint, the title of the malicious document is,” About the Spread of New Coronavirus Infections.”

Cyber Attacks Against Critical Industries are Increasing
In February, the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned IT system administrators of an increase in malware attacks against critical industries. This came after pipeline facility had to shut down operations for two days after a malware attack crippled its process monitoring network.
Ransomware was successfully delivered to a gas compression facility via a spear phishing email. Hackers were able to infiltrate the facility’s IT network and move on to their operational technology (OT) network. Because of capacity issues other facilities also had to halt production while the infected facility underwent remediation procedures.
In the Vicious Panda malware campaign, the APT group sends two rich text file (RTF) documents that are weaponized with remote access malware. Both documents are designed to look like press briefings. One impersonates the Mongolian Ministry of Foreign Affairs. These RTF files are weaponized with RoyalRoad version 7.x. RoyalRoad is commonly used by various Chinese hackers. According to CheckPoint’s analysis, it “allows the attacker to create customized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word.”
When the victim opens the malicious RTF email attachments, they exploit a Microsoft Word security bug. RoyalRoad drops intel.wll into the victim’s machine into the MS Word startup folder: %APPDATA%\Microsoft\Word\STARTUP.

After that, when Microsoft Word is launched on the infected computer, any DLL files with a WLL extension in the Word Startup folder launch as well. Like many malwares, this downloads more malware – in this case it is a RAT module. The RAT module can take screenshots. It can also list files and directories, create or delete directories, and move, delete, or download files.
How to Protect Against Malware Attacks
- Read our guide on how to detect a phishing email
- Use Multi-Factor Authentication to access computers, apps, and email
- Never open an email attachment send by a stranger
- Check the email address of anyone who sends an email to you, especially if it unsolicited
- Schedule regular backups of critical data
- Use a reliable antivirus app to protect phone and computers from malware
- Stay off of spoof websites