Covid-19 scams continue

April 23, 2020

As the shelter -in-place continues, the scams around Covid-19 are rampant in the wild. SonicWall Capture Labs threat research team observed more scams in recent weeks.

The stimulus checks from government’s financial aid  have started arriving, and so have the spam scams.

Malicious executable file posing as Covid-19 relief packages are being distributed in the wild.

Typical infection cycle.

The malicious executable file makes contact with attacker’s domain

It also adds and modifies files, and deletes registry key settings.

People are eager to read any information regarding Covid-19, some email scams have appealing subjects as illustrated below.

The excel attachment is a malicious file. Upon opening it gives a message to enable content.

[Screen captured images of third party products or services are intended only to demonstrate the real-world application of the reported malware.]

The file modifies some registry entries.

 

Spammers are also delivering emails with malicious attachments in other languages.

[Screen captured images of third party products or services are intended only to demonstrate the real-world application of the reported malware.]

IoCs:

7ab96517f6852c124c82edf441496b2f005b11a4d1feb92f9cbfa2a2bffd1acb

604fca601eff958a55336ea836bf0fa3c52f73daec387143b1b03f5ff64758b7

6b084f7f1ca3d991ffea3f8b5b1fa3d45d8f5fe8dcf7242209d353749b3f3ed9

604fca601eff958a55336ea836bf0fa3c52f73daec387143b1b03f5ff64758b7

b66a6021b7fe7a66a448a868a46495eed8e98945cd0c75232599173f4407994e

kiencuonghotel.vn

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • Kryptik.Covid.ELN
  • Downloader.COVID_7
  • TrojanDownloader.COVID
  • GAV:Downloader.XLS_12