🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
The Carrier
- File titled “Interim Guidance for CoViD19,” is being distributed as email attachments.
- An auto-executable file is launched once the attachment is downloaded.
The Malware
- On execution, it launches cmd and triggers 2 files:
- Timeout.exe
- Shost.exe
- The RAT (Remote Administration Tool), which is named AsyncRAT (Written in C#), is embedded in “shost.exe,” and is auto-triggered.
Risk Involved
- The malware gives hackers access to keystrokes, files, webcam, or to install other malware or ransomware.
- The IP address ( C&C (Command & Control) server), has been used for malicious activities since Dec 2019.
- The distributing site is marked as “safe” by Google Safe Browsing. So, it could evade screening and detection.
File details
- Distributing Domain: artistdizayn.com
- Link: hxxp://artistdizayn.com/wp-content/onedrive.live.com/onedrive.live.com/google.com.php
- Country: Turkey
- Hosting Provider: Netinternet Bilisim Teknolojileri AS
Indicators of Compromise
IP: 216[.]38[.]8[.]179 (Registered with Gigenet with Direct Allocation, Hosted in the United States)MD5: 0726205cfacceb54e0fea5129db94b62SHA1: 1be62a238839eaf8e735eaa34584b9b505638d09SHA256: d0dba418c8ec2aed73a0ffe0654ae955ef9b7b022e7d6ca16d83f17fffd36017SSDEEP: 24576:91NchdmzOrX5tS49b0Z7y1o5WXnlB7UME+LrZNI:91NchPXDS4GZ+1plB7UMbLrZNI
