24/7 Emergency – (888)-287-5858

It should come as no surprise that cybercriminals are using the COVID-19 pandemic as a phishing lure. Popular media events always result in new attacks. But with the heightened level of awareness (panic?), end-users are likely more susceptible than usual. GoSecure Inbox Detection and Response (IDR) has blocked several new variants, each with varying levels of complexity to the phishing lure but almost all looking to install a remote access trojan. As remote access trojans (RAT) are known for many nefarious activities (log keystrokes, access the camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the vi desktop, perform process, file, and registry manipulations and more), it’s unknown what the endgame is, but it’s safe to assume it’s nothing good.

In this example, and a commonly used tactic in COVID-19 attacks, the phishing lure purports to come from the World Health Organization (WHO). This one is exceedingly simple in its design, including the continually infamous use of misspellings and poor English grammar.


And, no, Dr. Penelope Marchetti does not appear to be a real person.

Attached to the email is a macro-enabled Microsoft Excel add-in file, COVID-19 Recomendaton_Precaution_Desinfection.xlam (note misspelling of disinfection). By default, Microsoft Outlook is cautious about opening attachments, but other email clients are not as diligent. And most users are unlikely to note the XLAM extension, which they rarely ever see.

Once opened, the XLAM attachment connects to a dynamic web site via dynamic DNS duckdns.org. This technique allows the attacker to change the location of the malicious download, thus allowing the campaign to have a longer life. Once connected, the malicious website delivers njRAT, a remote access trojan first observed in 2012. Many variants of njRAT have been created since it’s initial observation. More in-depth analysis by GoSecure indicates this version is the BLADABINDI variant. Even amongst BLADABINDI there are multiple variants as the underlying RAT has a myriad of capabilities. It’s BLADABINDI’s customizability and seeming availability in the underground that makes it a prevalent threat.

Digging into the mechanics of sending this email, the sending domain of supporrtteam.com reuses the misspelling technique, knowing that most end users won’t notice. Bigger question should be why the WHO is sending email from a non-related domain? Here again, with all the media attention surrounding COVID-19, most users won’t notice or ask. Also, the sending domain does not resolve via a DNS lookup, always an indicator of suspicion.

The use of COVID-19 phishing lures will continue until they are no longer effective. This is just one example that GoSecure has seen, and we will report on others as we have the details. Please consider the mitigation actions noted below to protect your organization immediately. GoSecure Inbox Detection and Response will also protect your users from wherever they view the email.

Mitigation Actions

  • Block DNS lookups to duckdns.org
    • This may impact legitimate DNS lookups
  • Block incoming email from supporrtteam.com
  • Prevent all email clients from opening XLAM attachments

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations


GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment


Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy


Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform


GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Network Detection and Response (NDR)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence


GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.




24/7 Emergency – (888)-287-5858