Security Experts:

Connect with us

Hi, what are you looking for?



Healthcare, Government Organizations Targeted in BEC Attacks With COVID-19 Lures

Nigerian cybercriminals specialized in business email compromise (BEC) attacks were observed leveraging COVID-19 lures in recent attacks on healthcare and government organizations, Palo Alto Networks reveals.

Nigerian cybercriminals specialized in business email compromise (BEC) attacks were observed leveraging COVID-19 lures in recent attacks on healthcare and government organizations, Palo Alto Networks reveals.

Referred to as SilverTerrier and active since at least 2014, the group represents a collective of over 480 individual threat actors launching an average of 92,739 assaults per month in 2019, most of them targeting the high-tech industry.

Between January 30 and April 30, 2020, Palo Alto Networks observed three SilverTerrier groups launching ten COVID-19-themed malware campaigns that included over 170 phishing emails across the security company’s customer base.

The campaigns stand out because they also attempted to compromise organizations critical to COVID-19 response efforts, including “government healthcare agencies, local and regional governments, large universities with medical programs/centers, regional utilities, medical publishing firms, and insurance companies across the United States, Australia, Canada, Italy, and the United Kingdom.”

With many cybercriminals tailoring their attacks to take advantage of the current COVID-19 crisis, including nation-states, it’s no surprise that BEC scammers attempted to seize the opportunity as well.

However, Palo Alto Networks says that none of the observed SilverTerrier attacks taking advantage of the coronavirus crisis has been successful in compromising the intended target.

According to the latest report from the FBI’s Internet Crime Complaint Center (IC3), reported BEC and email account compromise (EAC) losses topped $1.7 billion in 2019, up from $1.3 billion in 2018.

Starting January, one of the actors behind the recent campaigns was observed launching multiple attacks that attempted to exploit CVE 2017-11882, an Office vulnerability that Microsoft patched in 2017, to run an executable file.

The assaults targeted organizations in the United States (a major utility provider, a university, and a government agency), Australia (a health insurance provider and an energy company), Canada (health agency), and a European medical publishing company to deliver various malware families.

Two other campaigns targeted US organizations (government health agencies, universities with medical programs, state infrastructure, and a health insurance company), a Canadian health insurer, a university and regional government in Italy, and various government institutions in Australia.

In the second half of March, a second SilverTerrier actor sent phishing emails to several organizations, including a government health agency in the United States, attempting to deliver the Lokibot malware to the intended victims.

On March 23 and 24, a third actor (named Black Emeka) sent a series of emails disguised as COVID-19 information, leveraging PowerShell to download malicious executables onto the victims’ systems.

SilverTerrier threat actors are expected to continue to use COVID-19-themed emails in an attempt to infect their victims with commodity malware to help them achieve their objectives.

“In light of this trend, we encourage government agencies, healthcare and insurance organizations, public utilities, and universities with medical programs to apply extra scrutiny to COVID-19-related emails containing attachments,” Palo Alto Networks concludes.

Related: Nigerian Threat Actors Specializing in BEC Attacks Continue to Evolve

Related: Nigerian Cybercrime ‘Group’ Has 400 Malicious Actors

Related: FBI Expects Increase in COVID-19-Themed BEC Scams

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack