Coronavirus Used in Spam, Malware, and Malicious Domains

Coronavirus Used in Spam, Malware, and Malicious Domains

Today I received a news from Sophos and I verified with TrendMicro, indicating a new campaign of Spam and Malware by the coronavirus, the same one that has already been reported a global pandemic.

According to the blog, domains with the word "Corona" are already registered, the same ones that are already identified.

Infection method

The victim was sent an email with the subject "Latest updates of the Corona Virus" and stated that it came from the Ministry of Health.

It contains recommendations on how to prevent infection, and it comes with an attachment that supposedly contains the latest COVID-19 updates, but it actually carried malware.

When the file is opened, if macros are disabled, the Word or Excel document displays a message asking the recipient to enable editing and content because "This document was created in an earlier version of Microsoft Office Word."

If macros are already enabled, or if the targeted user complies with the instructions, the VBA script does a number of things:

1. It disgorges files encoded within the document to disk: a VBA macro file (vbaProject.bin), and several Word-related XML files. The macro, in turn, contains an obfuscated JavaScript (jse) file.

2. It connects back to a PHP script on a remote server (hxxps: // 185 [.] 234.73.125 / wMB03o / Wx9u79.php in some samples) - passing the IP address and some basic details about the target as variables within an HTTP GET request.

3. It calls the macro file. While the macro script is obfuscated by code from legitimate VBA script, its actual function is to create the JavaScript dropper and a .bat batch file that executes the dropper with the Windows Script Host (WSH) command line tool, cscript.exe.

Taken Actions

1. We proceeded with the blocking in the Firewall of the command and control IP addresses identified by Sophos.

2. The domains indicated by TrendMicro that contain the word "Corona" were also blocked.

3. Lastly, malicious mail containing the keyword "Corona" will be monitored in the mail protection service

The Automation Is Coming! The Automation is Coming!

jde installations attacked by cyber criminals

JDE Installations Attacked by Cyber Criminals

JDE Installations Attacked by Cyber Criminals The threat is real. In the

​Read More
JDE vulnerability for your business

60% of Security Breaches are from Known Unpatched Vulnerabilities

60% of Security Breaches are from Known Unpatched Vulnerabilities  Vulnerabilities are flaws

​Read More
Cost Calculator Book a Call

Get Weekly Updates on Key Issues Facing IT Directors

Subscribe to our Weekly E-zine

Founded in 1999, Trailblazer Allari is making a bold move towards providing IT Operations and Maintenance, as well as Cost and Efficiency conscious IT Leaders via an Innovative On-demand Consumption-based Service Value Model. IT Leaders gain access to processes and expertise for Scheduled Maintenance, On-Demand IT Tasks and Advanced IT Projects.
All delivered as IT-As-A-Service (ITaaS) via the Go.Allari Platform for daily support and projects related to ERP, Database, Helpdesk, Security, and Vulnerability Management. Its breadth of Platform Coverage is extensive, covering all Major Platforms including JD Edwards EnterpriseOne, Oracle Database, MS SQL, Microsoft BI, Qualys IT Security and many more.
Allari supports its customers from locations around the Globe 24/7. To learn more visit: