Coronavirus Security Trends
by EW in
Attack Campaigns Digital Threats Trends vulnerabilities

Exploiting the headline-dominating crisis, individuals, organizations and governments alike are tricked into opening malicious payloads, visiting malicious websites and are subject to misinformation or fraud.

Link: https://blog.cyberint.com/covid-19-ongoing-campaigns

Summary:

  • Research carried out by Cyberint Threat Research Team
  • A running commentary on emerging and trending cyber threats that are taking advantage of the unprecedented uncertainty due to the Coronavirus epidemic
  • Three malware campaigns are catalogued and dissected in this blog so far:
    • Malware Campaign Distributing the Remcos Information Stealer
    • Malware Campaign Distributing the Agent Tesla Information Stealer 
    • COVID-19 Malware Campaign Targeting APAC 
  • Remcos Information Stealer
    • An excel document with Macros enabled leverages a microsoft exploit that downloads additional malware that steals the users information such as keystrokes and login information
  • Agent Tesla Information Stealer
    • Malware distributed within zipped .7z files. Names such as “ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.7z” are used to entice users to extract the files within.
  • COVID-19 Malware Campaigns
    • A phishing campaign targeting academia in South East Asia. The emails are crafted to appear to be from the World Health Organisation (WHO) and include instructions and advice around the epidemic.
    • The emails have an attached document which asks the user to click ‘enable’, following which a Windows vulnerability is exploited which allows the hacker to execute code on the target machine remotely.
  • Full details on all the above attacks, including TTPs and IOCs, are included within the blog post. These should be used to implement detection and protection controls on internal and perimeter security toolsets.

Extracted IOCs & Artefacts:
(full list and details here)

Files:

  • (COVID-19) conseils au grand public.xlam
  • vbc.exe
  • ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.exe
  • FIRST REPORT SANGER COVID-19 03172020.exe
  • HONNIN.exe
  • svchost.exe
  • CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm
  • Uopcep.exe

IPs/URLs:

  • 185.19.85.141
  • http://192.3.31.212/AMANICRYPTED.exe

Vulnerabilities:

  • CVE-2017-11882
Tags: , , , , , , , ,

Share Post:
Facebook Twitter Pinterest

Related Posts

Finastra Ransomware Attack Digital Threats

Finastra Incident: A Positive Ransomware Case Study

MacOS

#rsr #applefix: wait and see for rapid security response update

No Comments

Leave a Reply