CoronaVirusSafetyMeasures_pdf.exe has been identified as a “suspicious” executable file, although the infection vector used by the attackers is not yet known, the most likely method of dissemination is a phishing campaign that would deliver it as an email attachment. They would apparently use RAT Remcos to record the keys you press in combination with a VBS file designed to run the RAT.
The malware will also gain control over the infected device by adding a boot record key that allows it to reboot after the computer is rebooted. RAT will then start logging the user’s keys and store it within a log.dat file. The stolen information is then sent to your command and control server. We know that last year Remcos RAT was used through a phishing campaign aimed at accounting firms to steal information from the tax returns of all taxpayers in the USA.
Earlier this month another phishing campaign was detected distributing an “information thief” malware called Lokibot through emails designed to simulate being sent by the Ministry of Health of the People’s Republic of China and containing emergency Coronavirus regulations in English. Inspired by Emotet and the significant increase in Coronavirus infection rates, Lokibot operators saw an opportunity to expand their botnet and joined the current trend of scare tactics.
For more info: Marketing@cybergate.tech