COVID-19 Exploitation in Cyberspace
March 30, 2020Rewterz Threat Alert – Hackers Start Capitalizing on Zoom’s Success to Spread Malware Amid Covid-19
March 30, 2020COVID-19 Exploitation in Cyberspace
March 30, 2020Rewterz Threat Alert – Hackers Start Capitalizing on Zoom’s Success to Spread Malware Amid Covid-19
March 30, 2020Severity
Medium
Analysis Summary
Zeus Sphinx (AKA Zloader, Terdot) increased activities in March 2020. Like many other malicious campaigns, the one pushing Zeus is also leveraging the Covid19 pandemic. The malspam contains files named “COVID 19 relief” and similar subject lines. Zeus still targets banks across continents in the US, Canada, and Australia. The maldoc spam taking advantage of the trending COVID-19 theme tells victims that they need to fill out an attached form to receive monetary compensation for having to stay at home to help fight increasing infection rates.
From a variety of Office programs, with the majority being .doc or .docx files, these documents at first request the end user to enable executing a macro, unknowingly triggering the first step of the infection chain. Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the new Sphinx variant.The maldoc is password-protected, likely to prevent analysis of the file before the recipient opens it. It writes numerous folders and files to disk and adds some Registry keys in order to hide itself and manage its configuration files over time.
The weaponized document creates a malicious folder under %SYSTEMDRIVE% and writes a batch file into it. After executing the batch file, it writes a VBS file to the same folder. That file is executed and uses a legitimate WScript.exe process, creates a communication channel with its C&C server and downloads a malicious executable in the form of a DLL. The malicious DLL, which is Sphinx’s executable, is also written to the folder under %SYSTEMDRIVE%. The infection process is initiated with the execution of the Sphinx DLL using Regsvr32.exe, which sets off Sphinx’s infection chain.
Impact
- Credential Theft
- Theft of Banking Information
Indicators of Compromise
MD5
- e8fcf85c39c4b99b903148cba3e2d913
- 2fc871107d46fa5aa8095b78d5abab78
- 70E58943AC83F5D6467E5E173EC66B28
- 7CA44F6F8030DF33ADA36EB35649BE71
- 8A96E96113FB9DC47C286263289BD667
- C6D279AC30D0A60D22C4981037580939
SHA-256
- dff2e1a0b80c26d413e9d4f96031019ce4567607e0231a80d0ee0eb1fcf429fe
- f40d11f983151b6f0405db63a3424e5063a7294f42bdbde07f7aed5fd96f4563
- 511dab2388e7a98cc70a8e6abbfe3c47f170c9fc616941a2c05c08b1fc449ef1
- 3c115864cb93746b3745a119855b17442ef9415ccc2bf1531fc5a269e4714c66
- 66fc5d683cf76c3c4b53199fc0796b7a13afba22fca8d97ef4dfd07249e5a9f1
- c89c43d51eba1eb522cca6ec720f778a59638a09ea07ce10a60dd1929023a8d5
Source IP
- 185[.]14[.]29[.]227
- 49[.]51[.]161[.]225
- 47[.]254[.]174[.]129
URL
- hxxp[:]//brinchil[.]xyz
- hxxps[:]//seobrooke[.]com
- hxxps[:]//securitysystemswap[.]com
- https[:]//axelerode[.]club/
Remediation
- Block the threat indicators at their respective controls.
- Do not download attachments from untrusted emails.