![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Rewterz Threat Alert – Eventbot- A new Mobile Banking Trojan
March 25, 2020![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Rewterz Threat Alert – APT41 Global Intrusion Using Multiple Exploits
March 26, 2020![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Rewterz Threat Alert – Eventbot- A new Mobile Banking Trojan
March 25, 2020![Rewterz](https://www.rewterz.com/wp-content/uploads/2023/01/News.jpg)
Rewterz Threat Alert – APT41 Global Intrusion Using Multiple Exploits
March 26, 2020Severity
Medium
Analysis Summary
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but especially data stealers. Scammers are trying to make you install antivirus that protects against the actual COVID-19 virus infecting people across the world.
![fakesite.png](https://blog.malwarebytes.com/wp-content/uploads/2020/03/fakesite.png)
The website has a message that says:
Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.
![fakesite2.png](https://blog.malwarebytes.com/wp-content/uploads/2020/03/fakesite2.png)
The victims are infected with malware and turns your PC into bot to receive commands with the file packed with commercial packer Themida.
- hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed]
- hxxps[://]instaboom-hello[.]site//getCommand[.]php?[removed]
- hxxps[://]instaboom-hello[.]site//receive[.]php?command=[removed]
![blacknet_panel.png](https://blog.malwarebytes.com/wp-content/uploads/2020/03/blacknet_panel.png)
Impact
- Data theft
- Exposure of sensitive information
Indicators of Compromise
Domain Name
- instaboom-hello[.]site
- antivirus-covid19[.]site
MD5
- 1daec173bef2d6c442c4a59db74be63d
SHA-256
- 146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
SHA1
- 6b527fc7232188e3afcace62f625df406af548be
URL
- http[:]//antivirus-covid19[.]site/update[.]exe
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.