image source:  center for disease control


Threat actors are still taking advantage of the ongoing COVID-19 global outbreak by attempting to drop Remcos RAT and malware payloads on their targets’ computers via malicious files that promise to provide Coronavirus safety measures.

Cybaze/Yoroi ZLAb researchers recently spotted a suspicious CoronaVirusSafetyMeasures_pdf.exe executable after it was submitted to their free Yomi Hunter sandbox-based file analysis service.

While the infection vector used by the attackers is not yet known, the most probable method of dissemination is a phishing campaign that would deliver it as an email attachment.


RAT used to steal keystrokes

As the Cybaze/Yoroi ZLAb research team later discovered, the executable is an obfuscated Remcos RAT dropper that would drop a Remcos RAT executable on the compromised computer, together with a VBS file designed to run the RAT.

The malware will also gain persistence on the infected device by adding a Startup Registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce which allows it to restart itself after the computer is restarted.

After setting up everything it needs for its malicious purposes, the RAT will begin to log the user’s keystrokes and store it within a log.dat file in the %AppData%\Local\Temp\onedriv folder.

Attack chain

Attack chain (Yoroi)

The stolen information is then exfiltrated to its command and control server hosted at 66[.]154.98.108.

Last year, attackers also took advantage of the United States tax season to install the Remcos RAT via a phishing campaign that targeted accounting firms to steal information from all the taxpayers the tax preparer had as clients.

COVID-19: a popular phishing bait

Earlier this month, IBM X-Force Threat Intelligence researchers discovered another phishing campaign distributing the Lokibot information stealer malware via emails designed to look like they’re sent by the Ministry of Health of the People’s Republic of China and containing emergency Coronavirus regulations in English.

“Inspired by Emotet and the significant increase of the Coronavirus infection rates, Lokibot operators saw an opportunity to expand its botnet and joins the current trend of scare tactics,” the researchers explain.

The Emotet mention is related to a previous campaign from late-January that was also observed distributing Emotet payloads while warning of Coronavirus infection reports in various Japanese prefectures.

Roughly a week ago, security research collective MalwareHunterTeam found a 3-page Coronavirus-themed Microsoft Office document containing malicious macros, pretending to be from the Center for Public Health of the Ministry of Health of Ukraine, and designed to drop a backdoor malware with clipboard stealing, keylogging, and screenshot capabilities.

Malicious document

This malware was spotted right after the media reported about violent protests starting in Kyiv, Ukraine, following a viral fake email from the country’s Ministry of Health that spread false info about confirmed COVID-19 infections after the landing of plane carrying Ukrainians evacuated from China’s Hubei province.

MalwareHunterTeam also shared several other malware samples with Coronavirus references including a Remote Access Trojan (RAT), a Trojan, a stealer/keylogger, and a wiper.

Other phishing campaigns using Coronavirus lures have targeted U.S. and UK targets while impersonating U.S. Centers for Disease Control and Prevention (CDC) officials and virologists, and alerting their potential victims of infections in their area and providing ‘safety measures.’

report published by Imperva researchers also highlights how “high levels of concern around the Coronavirus are currently being used to increase the online popularity of spam campaigns designed to spread fake news and drive unsuspecting users to dubious online drug stores.”

The U.S. Federal Trade Commission (FTC) warned of ongoing scam campaigns using the current Coronavirus global scale health crisis to lure targets from the United States via email and text message phishing campaigns, text messages, as well as on social media.

Last but not least, about a week ago, the World Health Organization (WHO) also warned of active Coronavirus-themed phishing attacks that impersonate the organization with the end goal of delivering malware and stealing sensitive information.