New scams involving the Coronavirus continue to arrive on a daily basis. This specific campaign involves a threat actor posing as someone who works at a nearby hospital. The email states that the recipient has been in contact with someone who has contracted COVID-19 and includes a Microsoft Excel file (.xlsx) attachment. The email requests that the recipient print the document and bring it in to the emergency room to be tested. When opening the document, the user is asked to enable content to be able to view it. When enabled, malicious macros will be executed to download a malware executable to the computer and run it. To avoid detection, the executable injects multiple threads into the real msiexec.exe process. Bleeping Computer discovered some of the malware’s behavior which is included below:
- Search for and possibly steal cryptocurrency wallets.
- Steal web browser cookies that could allow attackers to log in to sites with the victim’s accounts.
- Get a list of programs running on the computer.
- Look for open shares on the network with the net view /all /domain command.
- Get local IP address information configured on the computer.