COVID-19 Cyber Security Risks & Remedies

CORONAVIRUS (COVID-19) RELATED TACTICS, TECHNIQUES AND PROCEDURES (TTP) ROUND UP, WEEK OF MARCH 23-29 - 2020

As COVID-19 continues to spread, phishing lures related to the CoronaVirus continue to appear.

Some instances of “Casebaneiro Banking Trojan”, “HawkEye” and “WSH RAT” all using COVID-19 in phishing lures or executable names were spotted.

Below are extra details including Indicators of Compromise (IoC):

  • WSH RAT Distributed Using COVID-19 Lure, Sample Shared on Twitter (2020-Mar-24)
  •  Casebaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter (2020-Mar-25)
  • Malicious COVID-19 Titles Document File Drops HawkEye Malware, Sample Shared on Twitter (2020-Mar-24)

 

MITIGATION AND RECOMMENDATIONS

It is recommended to:

  • Raise awareness amongst all the employees, end-users and clients. This is extra important now that most of the employees are working remotely, sometimes in a less secure manner
  • Since the attacks stem in Phishing attacks, the following general phishing recommendations apply:
    • Never open suspicious emails. Any “Act Now!”, “Urgent Alert” or similar should be treated with caution, as they can be regarded as warning signs of a Phishing attempt
    • Even if an email doesn’t look suspicious, it is recommended to not click on links in an email (or message boards \ mailing lists) or open attachments
    • Pay attention to the actual URLs included in emails
    • Never submit credentials on embedded forms \ forms you were directed to from an email (or other similar sources)
    • Ensure that anti-virus and other applications (such as the web-browser) are updated and have the most recent security patches applied
    • Report anything suspicious for further investigation
  • It is recommended to block the different IoCs, as specified per each incident
  • Prior knowledge is key in raising awareness and preventing successful attacks. It is recommended to apply the Cybrella CTI services in order to proactively detect and respond to any dedicated \ general phishing attacks which might affect your organization \ end-users

WSH RAT DISTRIBUTED USING COVID-19 LURE, SAMPLE SHARED ON TWITTER (2020-MAR-24)

Malware: WSH RAT
User: @JAMESWT_MHT (JAMESWT) {on Twitter}

On March 24th, @JAMESWT_MHT shared an instance of WSH RAT delivered via a coronavirus-themed lure. The payload is retrieved from a Google Drive link that hosts a JavaScript file. Once the script executes and infects a host, the malware uses 192.169.69[.]25 via port 8000 as its C2, steals sensitive information and enables persistence.

Threat research on Twitter (@malwarehunterteam) also observed IP address 160.154.169[.]216 via port 1625 as the second C2 server being used.
Original post: https://twitter.com/JAMESWT_MHT/status/1242469957478289413

INDICATORS OF COMPROMISE:

IPs:

  • 192.169.69.25
  • 160.154.169.216

URLs:

  • http://pluginsrv2.duckdns.org
  • http://server12.myftp.biz

Domains:

  • server12.myftp.biz
  • pluginsrv2.duckdns.org

 

CASEBANEIRO BANKING TROJAN VARIANT DISTRIBUTED VIA COVID-19 LURE, SHARED ON TWITTER (2020-MAR-25)

Malware: Casebaneiro (Metamorfo), Banload
User:

  • @CyberCapta1n (Cyber Captain) on Twitter
  • @James_inthe_box (James) on Twitter

Twitter user @CyberCapta1n shared a malware analysis of a malicious installer file hosted on masry-corona[.]com, a likely use of COVID-19 to obtain clicks. Sandbox analysis shows it terminates antivirus program found via “Windows Management Instrumentation (WMI)” and exploits the RDTSC instruction to avoid analysis detections. It also showed to have keylogging capabilities and C2 server has been found at hxxp://la42[.]site/counta/FYRIFD1CU1YPOZD[.]php.

The malware also configures the “Tool Tips” feature of “Windows Explorer”. It downloads a zip file from la42[.]website, with a downloader identified as Banload by Twitter user @James_inthe_box. Sandbox analysis shows that the downloaded zip file is also malicious and connects to the URL hxxp://www.indyproject[.]org/. the URL has no detections on VirusTotal but was found in a malware assembly code three years ago (in our sources it was linked to banking malware activities since 2016). Metamorfo, or also known as Casebaneiro banking trojan, has been detected on one engine from a VirusTotal submission analysis.

Original post: https://twitter.com/CyberCapta1n/status/1242865927185674245

 

INDICATORS OF COMPROMISE:

Domains:

  • masry-corona.com
  • la42.website
  • la42.site

IPs:

  • 134.0.10.213
  • 185.66.41.119

Hashes:

  • c56b5f0201a3b3de53e561fe76912bfd
  • 285d117eaea196584e7fc1b908ba04a7
  • 9590ceabd41bb4b68f54c832fc618746dbc4fa7b53029aa1cfa4819a7e56ecdc
  • 7906a511642762cbfd0019e76e683e31cab2291a76c088ebba1f38eae033bf6b92ece5cf6a1a9c92a93c8764a1d8cac21b61
  • 9ebd7f6d22e21caefaf82e119184
  • 53b2fc40ca87f8fbd05b4db524e3aabb1c69f169
    8ed44388a6cda626c3db0690dc914221b4c1d0a4f5f7ac1e4976939d0315c08872a1651279aee602b1c2009b460f9476ad8
  • 5942ae7c70d0e55c9c3198e736579
  • e17192ffcd5f7ba40dfbff4d94ef5730b0732396
  • 091fe81f5e69f27256966e17dff427b164bb0bed
  • 689fca624befa2dbf7fb003858686e70
  • 5d413bf1c985529c38399323a7c2698371319332241b4e9bf55a47b51857aca8

URLs:

  • http://la42.site/counta/FYRIFD1CU1YPOZD.php
  • https://www.thawte.com/repository0W
  • http://www.autoitscript.com/autoit3/J
  • https://www.indyproject.org/
  • https://www.digicert.com/legal-repository/
  • http://la42.website/pro2/comprobante_771124.zip
  • http://la42.website/
  • https://www.advancedinstaller.com/index.html
  • https://www.autoitscript.com/site/autoit/

 

MALICIOUS COVID-19 TITLES DOCUMENT FILE DROPS HAWKEYE MALWARE, SAMPLE SHARED ON TWITTER (2020-MAR-24)

Malware: HawkEye
User: @w3ndige
A Twitter user (@w3ndige) was observed sharing a malicious document file.

This file has been named “covid-19.rtf” as a lure to trick users into opening the file. Once the file is opened, a script will be run to download the payload from “hxxp://goldenlion[.]sg/blacky2/.

After analysis of a sample of the payload, the results show that this is an instance of HawkEye malware that has the function to view passwords stored within web browsers. It uses mail.3enaluminyum[.]com.tr as C2.
Original post:

INDICATORS OF COMPROMISE:

IPs: 103.7.8.223
Hashes:
2ec89c76f344fdbef435ed21f06ff108
151e2483ccc726b185c2e11a53521c35
URL: http://www.goldenlion.sg/blacky2

Matrix-IFS provides consulting services for all aspects of modern cyber security requirements – Risk Management, Frauds & AML, Cloud Security, Technology, etc.

 

Matrix-IFS’ Cyber Threat Intelligence Services:

• Monthly Intelligence Reports
• Weekly Intelligence Reports
• Daily Intelligence Alerts
• TVA (Threat Vulnerabilities Analysis) Services
• Targeted Intelligence Articles
• VIP Data Protection
• Cyber Threat Expert on Demand

Find out more

Please complete your details and we will contact you