Severity
Medium
Analysis Summary
Researchers observed a COVID-19 themed spear-phishing email targeted towards co-operative banks in India. Appearing to come from a large Indian bank and aimed towards smaller co-operative banks, the body of the email claims that the attached file contains information regarding measures related to COVID-19. The attachment is a ZIP archive masquerading as a spreadsheet or PDF. Inside the archive is a JAR file that similarly attempts to hide as a spreadsheet or PDF. This JAR file acts as a first-stage, dropping and executing the second-stage JAR. It also establishes persistence via a Registry Run key. The second-stage payload is the Adwind jRAT and provides the main malicious functionality. It communicates with its C2 server on a non-standard port. Once connected to its C2, it can receive a variety of commands that provide extensive remote access capabilities. Specifically, it can download and execute additional payloads, capture screenshots, provide remote desktop access, perform file operations, and more.
Impact
- Information theft
- Financial loss
Indicators of Compromise
MD5
- D7409C0389E68B76396F9C33E48AB72B
- 09477F63366CF4B4A4599772012C9121
- 8C5FFB7584370811AF61F81538816613
- 01AB7192109411D0DEDFE265005CCDD9
- 0CEACC58852ED15A5F55C435DB585B7D
SHA-256
- 0ad602eeba1970ed5230bb59ad1e197c3bd3d28bb57a62dd418dd2c7ddeddb9f
- c50b9aaadf69c7ce1112d8d9b00ed9dacb15a2873ab17161e42a9f5d96658e54
SHA1
- e0d2f14f4c2b19d7fd994279ba329cadd20f6d0f
- cb347f131b133b187808ff72cab80a5be420f552
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
- Search for IOCs in the existing environment.