As the coronavirus blows up into a worldwide pandemic, threat actors continue to exploit the disease to spread malware. Just this week, cybersecurity professionals identified a bevy of new threats ranging from coronavirus-themed malware attacks, booby-trapped URLs and credential stuffing scams.
On Tuesday, researchers reported
two malware campaigns connected to the coronavirus: One that uses a phishing email to spread Remcos RAT and malware payloads and the other using a Microsoft Office document to drop a backdoor onto a victim’s computer.
One campaign is in the form of a phishing email with a PDF offering coronavirus safety measures, according to
research from ZLab-Yoroi Cybaze. Instead, the PDF–named “
CoronaVirusSafetyMeasures_pdf“–includes executables for a Remcos RAT dropper that runs together with a VBS file executing the malware, researchers said.
The sample analyzed by researchers showed unique sophistication in its ability to avoid detection by typical firewall protections, ZLab-Yoroi Cybaze researchers observed in a post on the threat.
“It established a TLS protected connection to a file sharing platform named ‘share.]dmca.]gripe,’ possibly to avoid reputation warnings raised by next-gen firewalls,” researchers wrote in the post.
Victims are instructed to download the document from the “censorship-free” file-sharing service, which then installs two executable files in the “C:\Users\<username>\Subfolder” system directory on a victim’s computer. A VBScript then becomes the launching point to run the executables, researchers said.
threatpost.com
