RAT Distribution via COVID-19 Manuals
Catching up trending topics is a successful strategy adopted by Cyber Crooks, hence COVID-19 is no exception. We have seen many cases where Corona Ransomwares, Covid19-themed Fake Domain Registrations each day, Disguised Live Corona Maps etc are challenging each others for maximum visibility to cause higher infectious rate in the Hack Sphere.
It has been observed that a file titled “Interim Guidance for CoViD19” had been distributed as an attachment in this COVID scenario, targeting many personal email inboxes, masquerading it as a COVID Guidance Manual.
As attacker well knows about that the reader’s psychology as s(he) would jump into any Covid related material found on the internet, in order to stay on top of this pandemic
An auto-executable file is launched once the package gets launched. Detected a RAT (Remote Administration Tool) named AsyncRAT (Written in C#) which is able to take the control of the victim, once it gets launched.
Upon execution, CMD gets launched and it triggers 2 files namely:-
Timeout.exe
Shost.exe
The RAT is embedded with the file “shost.exe” which gets auto-triggered.
On further analyzing the file, the following suspicious IP had been found which is believed to be a C&C server for the same.
216.38.8.179
On a shallow search, it is found that the IP address had been recorded various times for malicious activities since December 2019.
Hence, there is no wonder how the actor had shifted the interest in this epidemic caused by infecting with RAT. The IP address is registered with Gigenet with Direct Allocation, hosted in the United States.
It is to be noted that the IP address had been found after analyzing the file submitted. If anyone downloads them and uses them, they may change the C&C server address.
Some of the features of the Async RAT includes:-
Client screen viewer & recorder
Client Antivirus & Integrity manager
Client SFTP access including upload & download
Client & Server chat window
Client Dynamic DNS & Multi-Server support (Configurable)
Client Password Recovery
Client JIT compiler
Client Keylogger
Client Anti Analysis (Configurable)
Server Controlled updates
Client Antimalware Start-up
Server Config Editor
Server multiport receiver (Configurable)
Server thumbnails
Server binary builder (Configurable)
Server obfuscator (Configurable)
The most disturbing fact is the file is still available for free download, hence anyone can download the same and send it to anyone. Another disturbing fact is that the site is marked as “safe” by Google Safe Browsing, hence anyone can host malicious apps/forms by evading the screening, which can be leveraged by hackers to exploit the same.
Google Safe Browsing missed the incident as of 18th March,2020 which is evident from this incident.
Though the RAT program is intended to design for Educational Purposes, by checking the past incidents it is evident that the same are being abused to launch as malicious purposes.
There is a high chance of people opening the file and can get infected in this epidemic scenario. Once the actor gains access to the system via RAT; s(he) can access the target’s file and even can run a ransomware program which ultimately forces the victim to pay the ransom in Bitcoin or other cryptocurrencies.
FILE DETAILS
Distributing Domain: artistdizayn.com
Link: https://artistdizayn.com/wp-content/onedrive.live.com/onedrive.live.com/google.com.php
Country: Turkey
Hosting Provider: Netinternet Bilisim Teknolojileri AS
IOCS
MD5: 0726205cfacceb54e0fea5129db94b62
SHA:1be62a238839eaf8e735eaa34584b9b505638d09
SHA256: d0dba418c8ec2aed73a0ffe0654ae955ef9b7b022e7d6ca16d83f17fffd36017
SSDEEP: 24576:91NchdmzOrX5tS49b0Z7y1o5WXnlB7UME+LrZNI:91NchPXDS4GZ+1plB7UMbLrZNI
IP Address: 216.38.8.179
KEY-INTAKES
>Never open an attachment which especially claims to be a covid manual, not all are legit
>Scan a file/domain with online resources such as VirusTotal before making it as a default choice
>Rely on authentic sources to track Corona pandemic such as Worldometers.
> Do not fall for Crowd Funding related to Corona/Covid-19 Virus Help Victims.
Care to Donate for Research Purpose?
1E4v8eXjieNhKDWc5Rww84D2TXrqxcjVKZ (only BTC Accepted)
