Login

Register

Login

Register

#cybersecurity | #hackerspace |

Attack Campaign Leveraged Coronavirus Theme to Deliver Remcos RAT


Security researchers discovered an attack campaign that abused fears surrounding the global coronavirus outbreak to deliver the Remcos RAT.

Yoroi Security detected the attack campaign when its threat intelligence activities uncovered a suspicious artifact named “CoronaVirusSafetyMeasures_pdf.”

In their analysis, Yoroi’s researchers determined that the file established a TLS connection with file sharing platform “share.]dmca.]gripe” potentially in a bid to evade detection by next-fen firewalls.

The attack leveraged this connection to download a file that wrote two additional files named “filename1.vbs” and “filename1.exe” to the “C:Users<username>Subfolder” system directory. The VBS script served as a launchpad for the executable, which established persistence by setting up a registry key.

The malware attack chain (Source: Yoroi Security)

The campaign then proceeded with its malicious activity, as described by Yoroi in its research:

Then, the malicious code stores sensitive information gathered from the monitoring of user keypress in a file named “logs.dat”, placed in the “%AppData%LocalTemponedriv” directory. Different from the default Remcos working directory.

Finally, all the loot is sent to the remote command and control hosted at 66.154.98.108, operated by “Total server solutions LLC”, an US hosting provider operating since 2012.

Researchers at Yoroi analyzed this network communication and found a “|cmd|” delimiter. This discovery them to conclude that the attack campaign’s final payload was a customized build of Remcos.

After discovering the RAT family back in February 2017, Fortinet spotted a phishing campaign using several new spam samples of Remcos in October 2019.

This isn’t the only instance in which digital attackers have abused the coronavirus as a theme for their attacks. In early 2020, IBM X-Force spotted a campaign that tricked Japanese users with fake warnings of new coronavirus cases in their area into enabling macros within a weaponized Microsoft Word document. Upon (Read more…)



Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW