Security researchers discovered an attack campaign that abused fears surrounding the global coronavirus outbreak to deliver the Remcos RAT.

Yoroi Security detected the attack campaign when its threat intelligence activities uncovered a suspicious artifact named “CoronaVirusSafetyMeasures_pdf.”

In their analysis, Yoroi’s researchers determined that the file established a TLS connection with file sharing platform “share.]dmca.]gripe” potentially in a bid to evade detection by next-fen firewalls.

The attack leveraged this connection to download a file that wrote two additional files named “filename1.vbs” and “filename1.exe” to the “C:Users<username>Subfolder” system directory. The VBS script served as a launchpad for the executable, which established persistence by setting up a registry key.

The malware attack chain (Source: Yoroi Security)

The campaign then proceeded with its malicious activity, as described by Yoroi in its research:

Then, the malicious code stores sensitive information gathered from the monitoring of user keypress in a file named “logs.dat”, placed in the “%AppData%LocalTemponedriv” directory. Different from the default Remcos working directory.

Finally, all the loot is sent to the remote command and control hosted at 66.154.98.108, operated by “Total server solutions LLC”, an US hosting provider operating since 2012.

Researchers at Yoroi analyzed this network communication and found a “|cmd|” delimiter. This discovery them to conclude that the attack campaign’s final payload was a customized build of Remcos.

After discovering the RAT family back in February 2017, Fortinet spotted a phishing campaign using several new spam samples of Remcos in October 2019.

This isn’t the only instance in which digital attackers have abused the coronavirus as a theme for their attacks. In early 2020, IBM X-Force spotted a campaign that tricked Japanese users with fake warnings of new coronavirus cases in their area into enabling macros within a weaponized Microsoft Word document. Upon (Read more...)