Request a Demo
Rewterz
Rewterz Threat Advisory – ICS: OSIsoft PI System Multiple Vulnerabilities
May 13, 2020
Rewterz
Rewterz Threat Alert – BackConfig Malware Targeting Government and Military Organizations in South Asia
May 14, 2020

Rewterz Threat Alert – InfoStealers Weaponizing COVID-19

Severity

Medium

Analysis Summary

Cybercriminals are theming their malspam campaigns to take advantage of the current global pandemic. Researchers have published a report, which indicates that the majority of coronavirus and COVID-19 themed malspam, delivers infostealing malware. The malware payloads delivered changed over time and location, but the most common category which the detected malware fell into was the infostealing category. Researchers also said that weekdays are the most active for these campaigns, with campaigns frequently being launched on a Monday. Lokibot was the most common and persistent payload whereas in the North American region, the payloads tended to be more diverse with a more even spread of various infostealers. The malware noted in the various campaigns included, but is not limited to, Agent Tesla, the 404 Keylogger, Hawkeye, Lokibot, and TrickBot.

Impact

  • Information theft
  • Exposure of sensitive data 

Indicators of Compromise

Email Subject

  • COVID-19 VACCINE UPDATE
  • The measures BOBST has taken regarding the Coronavirus expansion
  • AWARENESS NOTICE ON CORONAVIRUS(COVID-19)
  • COVID-19[:] Copy of Transfer Receipt From Our Bank
  • The measures BOBST has taken regarding the Coronavirus expansion
  • UPDATE [:] BUSINESS CONTINUITY PLAN ANNOUNCEMENT 2020 DUE TO CORONAVIRUS (COVID-19
  • Re[:] Arrival notice – M/V Corona Triton

Filename

  • W[.]H[.]O WORLD COVID-19 UPDATES_doc[.]exe
  • W[.]H[.]O WORLD COVID-19 UPDATES_doc[.]r00
  • AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf[.]exe
  • Letter_to_customers_covid-19_pdf[.]exe

MD5

  • b33b2a3108d51644d37c16bf604024b2
  • 9498ba71b33e9e9e19c352579e0d1b0a
  • e602d86250e0bddada3bde70bc252c02

SHA-256

  • e12075ae545ee8b6d2981c5f51c857974fbeeba4791a55b13a3a51c2c7394f9f
  • da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002
  • f1ba59863abc7d03f67577aa4b75ab121608c76433981f394651f2b327914e9c

SHA1

  • eeedb19aa357725a0300ca82fc6708406443ace6
  • 39419cf0c4a2aec86db7e87aaecf2972ed7cddb6
  • 9a46dfeb88cadf9734bf736289123d990d284a40

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.