Full Report
Special thanks to Prajwala Rao, Oliver Devane, Shannon Cole, Ankit Goel and members of Malware Research for their contribution and... The post COVID-19 – Malware Makes Hay During a Pandemic appeared first on McAfee Blog.
Analysis Summary
The provided article snippet discusses how threat actors are exploiting the COVID-19 pandemic to distribute various types of malware through spam and malicious URLs. The summary focuses on the identified malware families, their techniques, and associated MITRE ATT&CK mappings based only on the available text.
# Tool/Technique: Ursnif
## Overview
Ursnif is a banking Trojan primarily aimed at stealing banking credentials. Researchers observed this malware leveraging COVID-19 themes in filenames to entice victims starting in January 2020.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Not explicitly detailed, but execution via VBS and DLL suggests Windows.
- Capabilities: Stealing banking credentials, collecting system activities, recording keystrokes, monitoring network traffic, and tracking browser activity.
- First Seen: Observed using COVID-19 filenames since January 2020.
## MITRE ATT&CK Mapping
- T1059 - Execution
- T1059.003 - Command-Line Interface
- T1129 - Execution
- T1129.001 - Execution through Module Load
- T1085 - Defense Evasion, Execution
- T1085.001 - Rundll32
- T1060 - Persistence
- T1060.001 - Registry Run Keys / Startup Folder
- T1055 - Defense Evasion, Privilege Escalation
- T1055.001 - Process Injection
## Functionality
### Core Capabilities
- Stealing bank credentials.
- Executing dropped DLLs using legitimate system tools (`rundll32.exe`).
- Communication with C&C servers via HTTP GET requests.
### Advanced Features
- Injection of the malicious DLL into the `iexplorer.exe` process for obfuscation and persistence.
## Indicators of Compromise
- File Hashes:
- `e82d49c11057f5c222a440f05daf9a53e860455dc01b141e072de525c2c74fb3` (VBS file)
- `8bcdf1fbc8cee1058ccb5510df49b268dbfce541cfc4c83e135b41e7dd150e8d` (Ursnif DLL)
- File Names: `Coronavirus_disease_COVID-19__194778526200471.vbs`
- Registry Keys: Mentioned persistence mechanism (Registry Run Keys), but specific keys are not listed.
- Network Indicators: Communicates with C&C servers using HTTP GET requests (Specific domains/IPs not provided).
- Behavioral Indicators: Drops a DLL in `C:\Programdata\FxrPLxT.dll` and executes it.
## Associated Threat Actors
- Not explicitly named in the provided text.
## Detection Methods
- Signature-based detection on provided hashes.
- Detection of execution via `rundll32.exe` targeting injected processes.
## Mitigation Strategies
- Utilizing endpoint products (like McAfee ENS) and unified cloud edge solutions.
- Monitoring for execution paths involving VBS files dropping DLLs in sensitive directories like `C:\ProgramData`.
## Related Tools/Techniques
- General observation of malware using COVID-19 themes for social engineering spam.
***
# Tool/Technique: Fareit
## Overview
Fareit is an information stealer malware observed being distributed via phishing emails carrying COVID-19/Coronavirus themes.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Not explicitly detailed, but typical for information stealers targeting desktop data.
- Capabilities: Steals data from web browsers (credentials/cookies), FTP programs, email clients, and over a hundred other installed software tools.
- First Seen: Observed using COVID themes in the context of early 2020 campaigns.
## MITRE ATT&CK Mapping
- T1193 - Initial Access
- T1193.001 - Spearphishing Attachment
- T1106 - Execution
- T1106.001 - Execution through API
- T1130 - Defense Evasion
- T1130.001 - Install Root Certificate
- T1081 - Credential Access
- T1081.001 - Credentials in Files
- T101 - Discovery
- T101.002 - Query Registry
## Functionality
### Core Capabilities
- Data exfiltration from common applications (browsers, email clients, FTP clients).
- Execution upon opening the malicious attachment.
### Advanced Features
- Ability to enumerate and extract data from over one hundred different installed software packages.
- Potential defense evasion techniques, including installing root certificates.
## Indicators of Compromise
- File Hashes:
- `da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7` (Dropped Binary)
- `9f4bb022b49bd6ba0766e9408139648d2ddfe2f0dd5ca14644e5bdb2982b5e40` (Email artifact)
- `2faf0ef9901b80a05ed77fc20b55e89dc0e1a23ae86dc19966881a00704e5846` (Attachment artifact)
- `38a511b9224705bfea131c1f77b3bb233478e2a1d9bd3bf99a7933dbe11dbe3c` (Email artifact)
- File Names: Not explicitly listed, but implied to be related to COVID/Coronavirus lures.
- Registry Keys: Used for discovery/reconnaissance via registry queries.
- Network Indicators: Not detailed in the provided IOC list extract.
- Behavioral Indicators: Attachment execution leading to data harvesting.
## Associated Threat Actors
- Not explicitly named in the provided text.
## Detection Methods
- Signature-based detection on provided hashes.
- Behavioral detection monitoring for API calls related to system discovery and credential file access.
## Mitigation Strategies
- Caution regarding email attachments, especially those disguised with high-interest keywords like COVID-19.
- Utilizing cloud edge security products to block known malicious URLs/attachments.
## Related Tools/Techniques
- Other spam/phishing campaigns using COVID themes.
***
**General Observation from Context:**
The article highlights a general trend where established malware families (**Ursnif, Fareit, Emotet, Azorult, NetWalker, Hancitor, Nanocore RAT**) are leveraging the COVID-19 crisis as a lure in spam and malicious URL campaigns to ensure high click/open rates.