Rewterz Threat Alert – Coronavirus-Themed Domain Hosts a Phishing Kit

Severity

Medium

Analysis Summary

Researchers observed a phishing kit being hosted on a Coronavirus-themed website, attempting to lure victims there using the on-going pandemic. The domain, was registered relatively recently. The main phishing kit is a ZIP archive containing all the files needed for the attacker’s phishing operation. Several custom sets of files are contained to target specific credential sets, such as Office365 and AOL, along with more generic phishing pages in an attempt to gather whatever credentials the user is willing to provide.

Six key files inside the phishing kit were :

• Verification.php – Same as Login.php but sends recovery email and phone number obtained from the verify.php page instead.
• verify.php – Landing page for if the victim tries to do a password recovery.
• blockerz.php – Blacklist of hostnames and IP addresses not allowed to access the phishing site.
• index.php – Landing page for the victim to enter their credentials, which are captured to be sent by Login.php.
• Login.php – Formats the stolen login credentials and the victim system details gathered by sc.php into an email. Emails them to the operator.
• sc.php – Sets the email address to send gathered data to. Gets the victim’s IP address, OS, and browser details.

Impact

• Credential theft
• Exposure of sensitive data 
• Information theft

Indicators of Compromise

Domain Name

coronavirusfeedback[.]com

MD5

91e7a5c6acedb9b40ea67e70f299d999

SHA-256

ba0356c2d62bcfd63dce4fa8088d52d39644bea6e441f79203edaab080524bc7

URL

http[:]//coronavirusfeedback[.]com/coooooc[.]zip

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders