Severity

Medium

Analysis Summary

The adversary spoofs a World Health Organisation email and pretends to provide recommendations to the victim:

The shortened link redirects to a URL that serves a malicious Word document: 

The two embedded documents are the same and are DOS batch files unknown on VT. When you look at the file, it is heavily obfuscated using Chinese characters: This script is a downloader and grabs another script via Powershell. The new script is obfuscated in the same way. Once launched, It changes system registry keys to affect system security. The script is also a downloader and grabs another stage via Powershell. This time, it’s a piece of Javascript code processed via mshta.exe.

Impact

• Unauthorized Remote Access
• Data Manipulation
• Credential Theft
• System Takeover

Indicators of Compromise

Domain Name

• googlechromeupdater[.]twilightparadox[.]com

Email Subject

• CORONAVIRUS TRAVEL RECOMMENDATIONS

Filename

• CORONAVIRUS[.]doc

MD5

• 1eb8dd501af0415fd22f93590a561d5d

SHA-256

• c3379e83cd3e8763f80010176905f147fcc126b5e7ad9faa585d5520386bd659
• c8aace2ca96c6e308f374f4b2e425849ca94287aa8ea9768c5a24b38a2167d24

Source IP

• 216[.]189[.]145[.]11

URL

• hxxp[:]//216[.]189[.]145[.]11/RECOMMENDATIONS
• http[:]//bit[.]ly/2W1eAvU
• http[:]//216[.]189[.]145[.]11/auto[.]cfg[.]bat’
• http[:]//GoogleChromeUpdater[.]twilightparadox[.]com[:]448/html

Remediation

• Block the threat indicators at their respective controls.
• Do not respond to Corona-related emails.
• Do not download documents unless they are from a verified legitimate source.