Hackers are weaponizing the COVID-2019 coronavirus disease, trying to trick people into downloading malware so attackers can steal valuable information from victims’ computers.
Malware deployed through infected emails and files is nothing new. Still, hackers need a hook to capture the attention of potential victims, and what better way than to profit from pandemic to persuade users to open infected files?
Security researchers observed the spread of a file named “CoronaVirusSafetyMeasures_pdf,” most likely in the form of email attachments, which is actually a RAT dropper (remote access trojan) that acts as a keylogger, registering all key presses.
As normally happens with this kind of malware, the attachment is rarely the endgame for the attacker, not to mention that hackers don’t want to trigger endpoint protection. In this particular case, it’s actually a dropper, which means that the file is just one step towards the goal.
Opening the attachments starts the download of an encrypted binary, which downloads two files, “filename1.vbs” and “filename1.exe.” It writes into the Windows registry to ensure it survives a reboot. At this point, it likely acts as a keylogger, registering users’ key presses and storing them in a file. The data gathered by the malware is sent to a command and control (C&C) server, at the address 126.96.36.199, a US hosting provider that’s been around since 2012.
Exploiting newsworthy topics like the coronavirus scare is a common method of spreading malware, making people are more likely to open an email or attachment coming from unknown sources. Using a security solution is recommended, but it’s also advisable not to open emails from unknown senders, especially if it seems to have anything to do with the coronavirus epidemic.