Home
Threat Intelligence Posts
Malware Intelligence

Beware of COVID guidance manuals carrying the RAT malware

Watch out for a new malware campaign that is distributing files titled “Interim Guidance for CoViD19,” to lure recipients into installing the RAT malware.
Updated on
April 19, 2023
Published on
March 31, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.

The Carrier

  • File titled “Interim Guidance for CoViD19,” is being distributed as email attachments.
  • An auto-executable file is launched once the attachment is downloaded.

The Malware

  • On execution, it launches cmd and triggers 2 files:
    • Timeout.exe
    • Shost.exe
  • The RAT (Remote Administration Tool), which is named AsyncRAT (Written in C#), is embedded in “shost.exe,” and is auto-triggered.

Risk Involved

  • The malware gives hackers access to keystrokes, files, webcam, or to install other malware or ransomware.
  • The IP address ( C&C (Command & Control) server), has been used for malicious activities since Dec 2019.
  • The distributing site is marked as “safe” by Google Safe Browsing. So, it could evade screening and detection.

File details

  • Distributing Domain: artistdizayn.com
  • Link: hxxp://artistdizayn.com/wp-content/onedrive.live.com/onedrive.live.com/google.com.php
  • Country: Turkey
  • Hosting Provider: Netinternet Bilisim Teknolojileri AS

Indicators of Compromise

  • IP: 216[.]38[.]8[.]179 (Registered with Gigenet with Direct Allocation, Hosted in the United States)
  • MD5: 0726205cfacceb54e0fea5129db94b62
  • SHA1: 1be62a238839eaf8e735eaa34584b9b505638d09
  • SHA256: d0dba418c8ec2aed73a0ffe0654ae955ef9b7b022e7d6ca16d83f17fffd36017
  • SSDEEP: 24576:91NchdmzOrX5tS49b0Z7y1o5WXnlB7UME+LrZNI:91NchPXDS4GZ+1plB7UMbLrZNI
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more