[Anti Trojan Elite V 5.6.2 Patch.rar
Rancul Ratha
At Sentinel Labs, we have been closely tracking adversarial behavior as it pertains to COVID-19/Coronavirus. To date, we have observed a significant number of malware campaigns, spam campaigns, and outright scams that are preying on the fears and uncertainties of the global population.
During the first week of September, we observed multiple campaigns delivering the Sepulcher trojan. The phishing emails appear to be sent from the World Health Organization, claiming to contain updated technical and geographical guidance around Coronavirus safety measures. As with the Agent Tesla campaigns, these have been ongoing for several months, and the general templates have changed only slightly in the following months.
Throughout July and August 2020, we have continued to observe malicious actors leveraging COVID-19 as a social-engineering lure. In addition, prominent malware families continue to spread though COVID-19-themed messages and/or websites.
As our time w/ this pandemic progresses, and our medical and science experts gather more data on COVID-19, they also become larger and more valuable targets. In July 2020, The United States Department of Justice, along with other authorities, release details surrounding an extended campaign targeting COVID-19 research data. Authorities involved have attributed campaigns aimed at COVID-19 research data to both Chinese and Russian-backed actors. One such advisory specifically covers the use of CVE-2019-11510 (Pulse Secure VPN) to gain initial access into targeted environments.
The rise of unemployment and the need for medical/sick leave has brought about a new angle for COVID-related social engineering lures. Criminals have increased the use of weaponized medical leave forms, PTO requests and resume/CV forms and templates in an effort to further spread malware. In recent weeks, Trickbot, ZLoader and other high-profile malware families have been embracing these particular vectors. Weaponized forms are spread via email, primarily as Word documents, however we have observed alternate file formats as well (ex: ISO). Researchers at Checkpoint have expanded on these campaigns in recent weeks as well.
From May 21st onward, we observed multiple COVID-themed spam campaigns distributing the Warzone RAT (Remote Access Trojan). The malicious spam messages were crafted to exploit CVE-2017-11882. The remote code execution flaw is specific to Microsoft Word Equation Editor. Once exploited, the Warzone RAT payload is downloaded and installed.
We have also observed multiple COVID-themed spam campaigns spreading the IcedID trojan. These are rather generic maldocs which contain obfuscated VB/Macros which retrieve a specially-crafted .PNG image file. The malware is subsequently extracted from the .PNG images and launched.
[May 20, 2020] The last 2 weeks have seen an increased number of COVID-themed campaigns from both Trickbot and Formbook. The Formbook campaigns have been targeting educational institutions, via phishing messages with a trojanized application for teachers. Formbook. like other stealers, is focused on harvesting sensitive data. Recent Trickbot phishing emails have been masquerading as official details around the Family Medical Leave Act and other similar (and timely) lures.
On May 11th, twitter user @cocaman tweeted information on a COVID-themed dropper for HimeraLoader. Similar to the previously mentioned Trickbot campaigns, the HimeraLoader-centric attacks utilize the FMLA as a lure, prompting victims to open a malicious Word document, leading to the installation of the malware. Upon installation, the malware will create a schedule task for persistance, as well as drop additional components.
On May 14, Microsoft announced a new initiative to provide COVID-19-themed IOCs/indicators via a free feed. These indicators are automatically wrapped into various Microsoft-base protection technologies. However, environments that utilize other vendors are able to leverage the IOCs as needed. The hash-based IOCs cover multiple file and threat types, and are readily available via the Microsoft Graph Security API and the Azure Sentinel GitHub. Enterprise customers using MISP can easily imp0rt/ingest the data as well.
Attacks/campaigns using COVID-themed lures has continued to increase over the last week. We continue to observe increasing amounts of malicious messages and websites preying on the fear and uncertainty around the pandemic. There has been an overall increase in pure credential-harvesting, many of which are referencing U.S. government stimulus payments and small-business loan packages. In that category, multiple campaigns have been observed which directly masquerade as the United States Small Business Association (SBA).
This particular example was part of a widespread campaign used to spread Remcos RAT. (MITRE S0332). Remcos is a full-feature RAT capable of harvesting credentials, sensitive documents and information, as well as compromise basic functionality (keylogging, microphone access, screenshots, webcam control) and beyond. There are similar attacks focused on non-United States countries and financial entities as well
The Anyplace RAT campaign masquerades as an official communication from Epay, providing updates on their current operating abilities. Like Remcos, Anyplace is a full-featured remote access trojan. Upon execution, the dropper and primary executable are written to c:Program Files (x86cdc.
The actors behind Trickbot have continued in their prolific ways throughout the last month. We have observed multiple spam campaigns spreading Trickbot (along with additional subsequent threats). Many of the lures are centered around false DocuSign forms hosted on Google Docs, or shared directly as an attachment. When the documents are opened, the embedded macros run, leading to the Trickbot infection.
[April 14, 2020] In mid-April, we observed a short-lived COVID-themed ransomware attack. Spam email messages, containing COVID-themed malicious word documents were used to drop a ransomware payload based on HiddenTear (open source ransomware)
[April 14, 2020] HiddenTear is a long-standing open source ransomware framework. SentinelOne Endpoint Protection detects and prevents all malicious activities associated with this threat.
[April 14, 2020] In early April, several Android-focused campaigns were observed spreading the Anubis and Cerberus banking trojans to victims seeking additional information on Coronavirus in their area. Many were specifically targeted towards users in Italy and China. The malicious apps claim to track and inform users of COVID-specific updates for their region (a very common lure). Often times, the data in the app will be legitimate (redirection) but the app will request permissions beyond what is needed or required, allowing it to exfiltrate personal data to the remote location of their choice.
[April 14, 2020] Throughout late March/early April, multiple COVID-themed Ursnif campaigns were observed. Traditionally, Ursnif is utilized for information theft and data exfiltration. This includes credential harvesting, banking information and similar. Malicious messages arrive with malicious Word documents. When opened (and macros run) the documents will execute scripts to pull additional components from a removed server. Through multiple stages of obfuscated JavaScript, VBS scripts and/or PowerShell, the final Ursnif payload is written to the victim host.
Throughout March 2020, the Qbot banking trojan was distributed via aggressive spam campaigns. Victims are enticed via messages which claim to link to refreshed PPE supplies (ex: masks & gloves). When following the malicious links, users are led to the Qbot trojan in either EXE or ZIP archive form.
[April 6, 2020] Attackers have been leveraging the United States Stimulus Relief package to entice users into following malicious links which ultimately lead to leakage of personal data in multiple forms. We have observed email and SMS-based campaigns which offer updated information around the stimulus bill, or promise short term loans with the victims expected stimulus to be used as collateral.
[Update April 1, 2020] On April 1st, a new, multifaceted, malware emerged which leverages the Coronavirus in an attempt to target the emotions of their victims. When executed, the dropper will deposit numerous scripts and dependent files. The threat then proceeds to make a number of configuration changes which negatively affect the security posture of the infected host. The infection routine requires a reboot due to the changes to UAC. After reboot, additional payloads are executed, resulting in the display of an image of the Coronavirus adorned with additional messages following the theme.
Malware authors are continuing to utilize COVID/Coronavirus as a lure. We have seen ongoing activity from the malware families outlined in this original post, including AdWind, LokiBot, NetSupport RAT, Tesla Keylogger, and Kpot. We have also observed additional malware families joining in on the exploitation of fear around COVID-19.
[March 31, 2020] Late in March, we observed the Sphinx banking trojan, which is largely based on leaked source code for Zeus, began to aggressively spread via email with COVID-themed messages. In some observed cases victims were enticed to complete a form related to receiving government assistance during the outbreak. The malicious document then proceeds to drop and execute a VBS script. This script establishes C2 communication channels, and downloads additional executable payloads. Beyond the COVID-themed lures, the functionally is largely unchanged with regards to data inception via web injects.
In mid-March 2020, a new family of Android ransomware, CovidLock, began targeting users via malicious app (APK) downloads. The malicious apps were hosted on sites masquerading as hosts for valid real-time information tracking apps. Upon infection, the ransomware tricks users into providing full device control via misleading permissions request dialogs. The malware sets itself to load upon device startup and leads to a lock-screen style ransom request. This specific family utilizes Pastebin to aid in the construction of the displayed ransom notes.
795a8134c1