skip to Main Content

Cybercrime use Coronavirus to spread a customized version of Remcos

Yoroi-ZLab: Cybercrime is exploiting the Coronavirus infodemic to launch a new cyber attacks campaign to spread a customized version of Remcos

Cybercrime is exploiting the Coronavirus as a lure to launch a cyber massive cyber attack campaign with a customized built of Remcos malware. According to Yoroi-ZLab cyber security experts, threat actors are using fear and panic caused by the spread of the COVID-19 to deliver their malicious artifacts and increase the number of infected victims, making it look like a “Coronavirus countermeasures” document. Kaspersky and IBM X-Force have recently discovered an Emotet campaign delivered on Corona Virus trend. In this case, based on the analysis of the shared IoC, all the identified samples are not new and were reused with some small changes. Then delivered in China regions spread via a malicious decoy document, emphasizing the opportunistic nature of these attacks. But, during “our Threat Intelligence activities we noticed a suspicions artifact named ‘CoronaVirusSafetyMeasures_pdf’. So, we decided to deep dive into it”.

The cyber security experts: How the malware infection works

The cyber security experts revealed that the sample analyzed established a TLS protected connection to a file sharing platform named “share.]dmca.]gripe”. This possibly to avoid reputation warnings raised by next-gen firewalls. The file downloaded is a chunk of 125KB random looking bytes, suggesting it would likely be some binary payload protected with strong encryption. Meanwhile, the malware writes two artifacts in the “C:\Users\<username>\Subfolder” system directory: filename1.vbs and filename1.exe. The content of the VBScript is the launching point to run executable file. Then, the cybercrime malicious code stores sensitive information gathered from the monitoring of user keypress in a file named “logs.dat”, placed in the  “%AppData%\Local\Temp\onedriv” directory. Intercepting the Coronavirus malware process communications, Yoroi-ZLab noticed the usage “|cmd|” delimiter, a typical pattern confirming the final payload is a customized built of Remcos.

Back To Top