New scams involving the Coronavirus continue to arrive on a daily basis. This specific campaign involves a threat actor posing as someone who works at a nearby hospital. The email states that the recipient has been in contact with someone who has contracted COVID-19 and includes a Microsoft Excel file (.xlsx) attachment. The email requests that the recipient print the document and bring it in to the emergency room to be tested. When opening the document, the user is asked to enable content to be able to view it. When enabled, malicious macros will be executed to download a malware executable to the computer and run it. To avoid detection, the executable injects multiple threads into the real msiexec.exe process. Bleeping Computer discovered some of the malware’s behavior which is included below:
- Search for and possibly steal cryptocurrency wallets.
- Steal web browser cookies that could allow attackers to log in to sites with the victim’s accounts.
- Get a list of programs running on the computer.
- Look for open shares on the network with the net view /all /domain command.
- Get local IP address information configured on the computer.
Although it is unfortunate, threat actors will take advantage of nearly any crisis in order to make a personal gain. Users should be cautious when receiving emails related to COVID-19 especially if they included attachments or ask for personal information. If possible, contact the sender by phone or alternate source to verify the legitimacy of the email. Keep anti-virus signatures updated and use Endpoint Detection and Response (EDR) software to detect suspicious behaviors such as malware launching from Excel files or injecting into other processes. Initial analysis by Binary Defense indicated that the malware created a new registry key with a ransom key name in: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun, saved a copy of itself in the current user’s roaming application data folder, and attempted to communicate with a server at the domain name: march262020[.]best. The malware file is identified by SHA-256 hash: 5b6f0d05a10d63245ab982c097027670eaf369bf5d710c340174fb303dc0c5a2