All Threat Intelligence posts

Beware of COVID guidance manuals carrying the RAT malware

March 31, 2020
4
min read

The Carrier

  • File titled “Interim Guidance for CoViD19,” is being distributed as email attachments.
  • An auto-executable file is launched once the attachment is downloaded.

The Malware

  • On execution, it launches cmd and triggers 2 files:
    • Timeout.exe
    • Shost.exe
  • The RAT (Remote Administration Tool), which is named AsyncRAT (Written in C#), is embedded in “shost.exe,” and is auto-triggered.

Risk Involved

  • The malware gives hackers access to keystrokes, files, webcam, or to install other malware or ransomware.
  • The IP address ( C&C (Command & Control) server), has been used for malicious activities since Dec 2019.
  • The distributing site is marked as “safe” by Google Safe Browsing. So, it could evade screening and detection.

File details

  • Distributing Domain: artistdizayn.com
  • Link: hxxp://artistdizayn.com/wp-content/onedrive.live.com/onedrive.live.com/google.com.php
  • Country: Turkey
  • Hosting Provider: Netinternet Bilisim Teknolojileri AS

Indicators of Compromise

  • IP: 216[.]38[.]8[.]179 (Registered with Gigenet with Direct Allocation, Hosted in the United States)
  • MD5: 0726205cfacceb54e0fea5129db94b62
  • SHA1: 1be62a238839eaf8e735eaa34584b9b505638d09
  • SHA256:
    d0dba418c8ec2aed73a0ffe0654ae955ef9b7b022e7d6ca16d83f17fffd36017
  • SSDEEP: 24576:91NchdmzOrX5tS49b0Z7y1o5WXnlB7UME+LrZNI:91NchPXDS4GZ+1plB7UMbLrZNI
Tags:
No items found.