Rewterz Threat Alert – Gamaredon APT Using COVID-19 Lures
Severity
Medium
Analysis Summary
A targeted email, with the subject line “Coronavirus (2019-nCoV)”, containing a document file was delivered to different users. Opening the document begins a template injection used for loading the template. Within the document, malicious macros execute a VBScript, assuming macros are enabled by the user. The C2 server being unavailable at the time of analysis made gathering additional payloads impossible. However, from the samples gathered, the Exif data is consistent and contains ID, Language Code, System ID, Author, and Code page. Most of the code is written in Cyrillic, indicating Russian origin. The malware drops hardcoded macros and executes a script.exe within the %USERPROFILE% directory. The actual VBS file is titled PlayList.vbs. This file contains obfuscated code that is executed after decryption. This particular technique is different than previous Gamaredon campaigns.