Hackers are weaponizing the COVID-2019 coronavirus
disease, trying to trick people into downloading malware so attackers can steal
valuable information from victims’ computers.
Malware deployed through infected emails
and files is nothing new. Still, hackers need a hook to capture the attention
of potential victims, and what better way than to profit from pandemic to persuade
users to open infected files?
Security researchers observed the spread
of a file named “CoronaVirusSafetyMeasures_pdf,” most likely in the form of
email attachments, which is actually a RAT dropper (remote access trojan) that
acts as a keylogger, registering all key presses.
As normally happens with this kind of
malware, the attachment is rarely the endgame for the attacker, not to mention that
hackers don’t want to trigger endpoint protection. In this particular case,
it’s actually a dropper, which means that the file is just one step towards the
goal.
Opening the attachments starts the
download of an encrypted binary, which downloads two files, “filename1.vbs” and
“filename1.exe.” It writes into the Windows registry to ensure it survives a
reboot. At this point, it likely acts as a keylogger, registering users’ key presses
and storing them in a file. The data gathered by the malware is sent to a
command and control (C&C) server, at the address 66.154.98.108, a US
hosting provider that’s been around since 2012.
Exploiting newsworthy topics like the coronavirus
scare is a common method of spreading malware, making people are more likely to
open an email or attachment coming from unknown sources. Using a security
solution is recommended, but it’s also advisable not to open emails from
unknown senders, especially if it seems to have anything to do with the coronavirus
epidemic.