Rewterz Threat Alert – COVID-19 Phishing Email Campaign

April 21, 2020

Severity

Medium

Analysis Summary

Two campaigns spotted leverage COVID-19 related lures to target employees. The first email spotted claims that an Excel attachment contains guidelines for preventing a Coronavirus outbreak. It leverages TTPs similar to an ongoing malspam campaign that uses these Excel documents to infect systems with Zloader. Zloader then downloads the Zeus banking Trojan onto the victim system as the final payload. The second email analyzed in the blog post uses a shipping-theme, claiming shipment delays because of Coronavirus. A link is provided to see more details; however, visiting this link leads to the download of an IMG file. This IMG file, in turn, infects the victim host with the Nanocore RAT, providing remote access to the attacker.

2020-04-08 - Payload Other - INC1805551 - Preparing business and employers work environment for a coronavirus COVID-19 outbreak prevention

2020-04-08 - Payload Other - INC1804096 - Your Shipment AWB 3357647591

Impact

Credential theft
Exposure of sensitive data
Financial loss

Indicators of Compromise

MD5

579090062d15633c58d1e9a37444ee8f

SHA-256

7b2adf1c8ff725d7dd61b0fdc3ef9e6e3a8bd1b744fd209290a1bf65f9b9acb4

SHA1

27af4e30ca4fd382ae20214c8d777d89b82cb356

URL

http[:]//gbud[.]webd[.]pl/images/COVID-19-04-01-2020[.]IMG

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders.