COVID-19 – When the Virus Spreads to New Internal Networks

General recommendations.

Enforce robust policies and make sure they are aligned across all channels. For example, should you choose to block.
Remember that CDRs and its likes cannot provide proper detection for most collaboration channels. Striping out “active content” is irrelevant for exe files which should be examined without any tampering of the file or URL.
Strive to scan all content dynamically. Static engines are limited in their capabilities to find unseen-before attacks.

Perception Point is perfectly poised to intercept these attacks. Our 360-degree threat prevention services allow us to protect any collaboration channel – email, cloud storage, CRM app, or even your in-house built app – and prevent any content-based attack.

Malware Campaign 1: Agent Tesla.

OVERVIEW.

The malware is sold as an attack kit on the internet and is aimed at stealing personal information such passwords from web browsers, mail clients and FTP software. It can be extended with modules that take screenshots, open the webcam and evade detection from AV software.

ANALYSIS.

The software is written in .net and on initial execution does nothing for 60 seconds, this is most probably to evade sandboxes that dynamically detonate the file. Then it tries to steal as many passwords and configuration files from installed software on the host system. The stolen information is then transmitted to a C2 server on port 567, probably to appear as legitimate SMPT traffic.

Behavior IOCs are in the appendix A.

IOCS.

Filename: IMF-Pandemic Relief and unemployment compensation Form.exe
sha256: 7969aa0b9f3d1dcb4c76e7e6746fdb38ec4f21caf9c9d63abd6d9870ab73ec6a
sha1: e7311c0c34ce97b57336a249d792f20ef97cfc6e
md5: ae0a9ad851282453a057c185c7982e81

DNS REQUESTS.

Domain: smtp.maizinternational.com

CONNECTIONS.

IP: 208.91.199.224

Malware Campaign 2: Tesla Agent.

OVERVIEW.

This variant is very similar to the previous one except it doesn’t perform the initial delayed execution but instead tries to avoid detection in a different manner, by using a code injection technique known as Process Hollowing. The file is shared in relations to “delay in the shipment due to the Coronavirus disease”.

It executes the binary C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe and injects its malicious code into it. This method tries to fool AV software because the executable belongs to Microsoft, however what actually executes in the memory is Agent Tesla.

The behavior is similar to the Behavior IOCs as the previous campaign in this report and can be found in Appendix A.

IOCS.

Filename: Shipping Documents.exe
sha256: c2e306da97bee475cbff69fe2f83bf810afca62a7e56791c06455b0e43f4cec5
sha1: 40ee4672cad326b7b5b93159d9a243c0d92fe01f
md5: b0b7448e08fa1622bc39f09b0e17b82e

DNS REQUESTS.

Domain: mail.elkat.com.my

CONNECTIONS.

IP: 110.4.45.37

Appendix A: Behavior IOCs.

FILES ACCESSED DURING RUNTIME.

C:\%insfolder%\%insname%
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data
C:\Program Files\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\Administrator\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Administrator\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\Administrator\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Administrator\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Administrator\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Administrator\AppData\Local\Iridium\User Data
C:\Users\Administrator\AppData\Local\Comodo\Dragon\User Data
C:\Users\Administrator\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Administrator\AppData\Local\Torch\User Data
C:\Users\Administrator\AppData\Local\7Star\7Star\User Data
C:\Users\Administrator\AppData\Local\Amigo\User Data
C:\Users\Administrator\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Administrator\AppData\Local\CentBrowser\User Data
C:\Users\Administrator\AppData\Local\Chedot\User Data
C:\Users\Administrator\AppData\Local\CocCoc\Browser\User Data
C:\Users\Administrator\AppData\Local\Elements Browser\User Data
C:\Users\Administrator\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Administrator\AppData\Local\Kometa\User Data
C:\Users\Administrator\AppData\Local\Orbitum\User Data
C:\Users\Administrator\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Administrator\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Administrator\AppData\Local\Vivaldi\User Data
C:\Users\Administrator\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Administrator\AppData\Local\liebao\User Data
C:\Users\Administrator\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Administrator\AppData\Local\QIP Surf\User Data
C:\Users\Administrator\AppData\Local\Coowon\Coowon\User Data
C:\Users\Administrator\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Administrator\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Administrator\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Administrator\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Administrator\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Administrator\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Administrator\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Administrator\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Administrator\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Administrator\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Users\Administrator\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Administrator\AppData\Roaming\Pocomail\accounts.ini
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Users\Administrator\AppData\Roaming\Postbox\profiles.ini
C:\Users\Administrator\AppData\Roaming\Postbox\profiles.ini
C:\Users\Administrator\AppData\Roaming\Claws-mail\clawsrc
C:\Users\Administrator\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Users\Administrator\AppData\Roaming\Psi\profiles
C:\Users\Administrator\AppData\Roaming\Psi+\profiles
C:\Users\Administrator\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Users\Administrator\AppData\Roaming\CoreFTP\sites.idx
C:\FTP Navigator\Ftplist.txt
C:\ProgramData\APPDATA\ROAMING\FLASHFXP\3QUICK.DAT
C:\Users\Administrator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
C:\cftp\Ftplist.txt
C:\Users\Administrator\AppData\Roaming\FTPGetter\servers.xml
C:\Program Files\jDownloader\config\database.script

REGISTRY KEYS ACCESSED DURING RUNTIME.

HKCU\Software\Aerofox\FoxmailPreview
HKCU\Software\Aerofox\Foxmail\V3.1
HKCU\Software\IncrediMail\Identities
HKCU\Software\Qualcomm\Eudora\CommandLine
HKCU\Software\RimArts\B2\Settings
HKCU\Software\OpenVPN-GUI\configs
HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKCU\Software\DownloadManager\Passwords

COVID-19 – When the Virus Spreads to New Channels.

General recommendations.

Malware Campaign 1: Agent Tesla.

OVERVIEW.

ANALYSIS.

IOCS.

DNS REQUESTS.

CONNECTIONS.

Malware Campaign 2: Tesla Agent.

OVERVIEW.

IOCS.

DNS REQUESTS.

CONNECTIONS.

Appendix A: Behavior IOCs.

FILES ACCESSED DURING RUNTIME.

REGISTRY KEYS ACCESSED DURING RUNTIME.

Don't miss out on any industry updates.

Sign up for our newsletter!

Ready to Try
Perception Point?

Learn More

Beyond Add-Ons: Elevating Browser Governance Against Malicious and Risky Extensions

Nespress-Oh No! Phishing Attack Exploits Nespresso Open Redirect Vulnerability

Professionally Hooked: Microsoft Two-Step Phishing Campaign Targets LinkedIn Users

Behind the Attack: Evasive HTML Spear Phishing

Evolving Email Security with Embedding Space and AI-powered Subject Analyzer

Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT

COVID-19 – When the Virus Spreads to New Channels.

General recommendations.

Malware Campaign 1: Agent Tesla.

OVERVIEW.

ANALYSIS.

IOCS.

DNS REQUESTS.

CONNECTIONS.

Malware Campaign 2: Tesla Agent.

OVERVIEW.

IOCS.

DNS REQUESTS.

CONNECTIONS.

Appendix A: Behavior IOCs.

FILES ACCESSED DURING RUNTIME.

REGISTRY KEYS ACCESSED DURING RUNTIME.

Don't miss out on any industry updates.

Sign up for our newsletter!

Ready to Try Perception Point?

Learn More

Beyond Add-Ons: Elevating Browser Governance Against Malicious and Risky Extensions

Nespress-Oh No! Phishing Attack Exploits Nespresso Open Redirect Vulnerability

Professionally Hooked: Microsoft Two-Step Phishing Campaign Targets LinkedIn Users

Behind the Attack: Evasive HTML Spear Phishing

Evolving Email Security with Embedding Space and AI-powered Subject Analyzer

Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT

Ready to Try
Perception Point?