- File titled “Interim Guidance for CoViD19,” is being distributed as email attachments.
- An auto-executable file is launched once the attachment is downloaded.
- On execution, it launches cmd and triggers 2 files:
- The RAT (Remote Administration Tool), which is named AsyncRAT (Written in C#), is embedded in “shost.exe,” and is auto-triggered.
- The malware gives hackers access to keystrokes, files, webcam, or to install other malware or ransomware.
- The IP address ( C&C (Command & Control) server), has been used for malicious activities since Dec 2019.
- The distributing site is marked as “safe” by Google Safe Browsing. So, it could evade screening and detection.
- Distributing Domain: artistdizayn.com
- Link: hxxp://artistdizayn.com/wp-content/onedrive.live.com/onedrive.live.com/google.com.php
- Country: Turkey
- Hosting Provider: Netinternet Bilisim Teknolojileri AS
Indicators of Compromise
IP: 216[.]38[.]8[.]179 (Registered with Gigenet with Direct Allocation, Hosted in the United States)