Some APT (Advanced Persistent Threat) hacking groups were spotted sending fake or spam emails using the coronavirus pandemic to infect the users by delivering the users malware or RAT that would steal sensitive information from users device.
Researchers have found two Rich Text Format files (a file format used by Microsoft products) which was once opened will install a RAT (Remote Access Trojan) which starts taking screenshots and download files and take over the device.
In this campaign, we observed the latest iteration of what seems to be a long-running Chinese-based operation against a variety of governments and organizations worldwide
said researchers with Check Point Research, in a Thursday post.
The fake emails used the named name of Mongolian Ministry of Foreign Affairs aims to deliver the relevant information for the coronavirus. When opened RTF file uses a tool named RoyalRoad which is commonly used by Chinese threat hackers.
After opening the malicious RTF document, and the Microsoft Word a malicious file ‘intel.wll’ is installed in the Microsoft Word startup folder and after that the ‘intel.wll’ file downloads a malicious DLL file which is used as a loader for malware and communicates with the C&C (Command and Control) server.
The threat actor operates the C&C server in a limited daily window, going online only for a few hours each day, making it harder to analyze and gain access to the advanced parts of the infection chain
said researchers.
After successfully communicating with the C&C server a RAT(Remote Access Trojan) is installed in the memory.
Attackers are always finding a way to hack user now they are using the Coronavirus panic as a weapon to hack the users.