Malware

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Researchers from Cybaze Yoroi ZLab have spotted a new campaign exploiting the interest in coronavirus (COVID-19) evolution to spread malware.

Introduction

Nowadays, it is common to say that the physical world and the cyber world are strictly connected. The proof is the leverage of the current physical threat, the CoronaVirus (COVID-19), as a social engineering trick to infect the cyber world. It is not new for cyber-crooks to exploit social phenomena to spread malware in order to maximize the impact and dissemination of a malicious campaign. This is the case of the Greta Thunberg phenomenon exploited in recent Emotet campaigns or the holiday themed campaign spread a few months ago.

Indeed, during  the last month, a new virus, dubbed “Corona Virus” codename COVID-19 has been arising, infecting thousands of people in China, and also all around the world. 

The statistics are worrying, and, of course, they represent an opportunity for cyber-crooks. This kind of threat is opportunistic by design, aimed to hit everyone without any specific target. In an opportunistic attack scenario the malware is spread across a huge number of victims taking advantages of an early disclosed vulnerability and the time frame for patching it or taking advantages of a widespread phenomena such as in this case.

Threat actors are using fear and panic caused by the spread of the virus to deliver their malicious artifacts and increase the number of infected victims, making it look like a “Coronavirus countermeasures” document.

Kaspersky and IBM X-Force have recently discovered an Emotet campaign delivered on Corona Virus trend. In this case, based on the analysis of the shared IoC, all the identified samples are not new and were reused with some small changes. then delivered in China regions spread via a malicious decoy document, emphasizing the opportunistic nature of these attacks.

During our Threat Intelligence activities we noticed a suspicions artifact named “CoronaVirusSafetyMeasures_pdf”, so, intrigued by its name and by its recent submission on Yomi Hunter (LINK), we decided to deep dive into it.

Technical Analysis

Probably, the infection vector was a phishing mail containing a specific attachment. However, detailed information about the vector used to spread the malware are unknown. Our analysis, therefore, begins with the executable recovered from the Yomi Sandbox.

Hashc9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd
ThreatObfuscated Remcos RAT Dropper
Ssdeep768:dBbjxSuO05cYJAsq4XqkDSUWvcDD5Ebcoq:dSuT5cYJAsq4XqkxWID6m

Table 1. Sample information

The sample showed an interesting behavior, it established a TLS protected connection to a file sharing platform named “share.]dmca.]gripe”, possibly to avoid reputation warnings raised by next-gen firewalls.

Figure 2: URL in the dropper configuration

Figure 3: Dashboard of the file hosting service used

The file downloaded from this censorship free file hosting is actually a chunk of 125KB random looking bytes, suggesting it would likely be some binary payload protected with strong encryption.

Figure 4: Piece of the encrypted file downloaded from “share.]dmca.]gripe”

In the meantime, the malware writes two artifacts in the “C:\Users\<username>\Subfolder” system directory. Inside it,  two files named “filename1.vbs” and “filename1.exe” appeared.

Figure 5: Installed files

The content of the VBScript is straightforward: it simply is the launching point to run executable file. 

Figure 6: Body of the VBS script

The reboot survival of the infection is granted through the setup of the registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”. A classical trick we keep noticing in a very huge number of malware implant, led us to think it actually still able to serve its malicious purpose even after decades, even after all the research community is fully aware of it.

Figure 7: Evidence of the set of the registry key

Then, the malicious code stores sensitive information gathered from the monitoring of user keypress in a file named “logs.dat”, placed in the  “%AppData%\Local\Temp\onedriv” directory. Different from the default Remcos working directory.

Figure 8: Path and file containing the sensitive information about the victim 

Finally, all the loot is sent to the remote command and control hosted at 66.154.98.108, operated by “Total server solutions LLC”, an US hosting provider operating since 2012.

Figure 9: C2 connection

Intercepting the malware process communications we noticed the usage “|cmd|” delimiter, a typical pattern confirming the final payload is a customized built of Remcos, also revealing the identifier of the attack campaign configured by the crooks: “j8gb-GBATN3”.

Figure 10: Piece of network communication intercepted

A summary of the infection chain can be represented by the following schema.

Figure 11: Malware attack chain

Conclusion

The COVID-19 phenomenon is scaring entire populations all around the world, many times raising panic and irrational or dangerous individual behaviors of a lot of people often pushed by some kind mass media narratives designed to leverage their uncertainty and emotional reactions, rather than inform them.

Cyber criminals are greedily looking at this kind of narrative and are launching wide-spread, opportunistic cyber attacks to exploit the irrational behaviors of the individuals overwhelmed by the COVID-19 infodemic. 

The ZLab-Yoroi Cybaze researchers advise to maintain a high attention level when receiving or treating communications claiming to be related to the CoronaVirus phenomenon, to avoid panic clicking on the link coming from unattended source and to contact trusted experts in case of the doubts. 

Indicators of Compromise (IoCs) and Yare Rules are available in the repor published by Cybaze Yoroi-Zlab

https://blog.yoroi.company/research/new-cyber-attack-campaign-leverages-the-covid-19-infodemic/
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, COVID-19)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds a Samsung MagicINFO 9 Server flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Samsung MagicINFO 9 Server vulnerability to its…

8 hours ago

New Signal update stops Windows from capturing user chats

Signal implements new screen security on Windows 11, blocking screenshots by default to protect user…

16 hours ago

Law enforcement dismantled the infrastructure behind Lumma Stealer MaaS

Microsoft found 394,000 Windows systems talking to Lumma stealer controllers, a victim pool that included…

21 hours ago

Russia-linked APT28 targets western logistics entities and technology firms

CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing…

23 hours ago

A cyberattack was responsible for the week-long outage affecting Cellcom wireless network

Cellcom, a regional wireless carrier based in Wisconsin (US), announced that a cyberattack is the…

1 day ago

Coinbase data breach impacted 69,461 individuals

Cryptocurrency exchange Coinbase announced that the recent data breach exposed data belonging to 69,461 individuals.…

2 days ago