Infostealer Trojan hides in Covid-19 related email attachments
Infostealer Trojan hides in Covid-19 related email attachments.Attackers are taking advantage of COVID-19 fear and spreading malware through COVID-19 informational emails attachments.As many states are still under shelter-at-home orders,people usually try to read any information regarding new guidelines from medical authorities.
This particular trojan is delivered through an email posing to have come from CDC(CENTER FOR DISEASE CONTROL)
The malicious attachment is 32 bit PE file. Upon execution it sets itself to gather information from the affected system.
It creates file and process dllhost.exe
It collects system information
- Tries to read sensitive data of: Mozilla Firefox, Google Chrome, QtWeb Internet Browser, Internet Explorer / Edge.
- Reads installed programs by enumerating the SOFTWARE registry key.
- Trying to read sensitive data of web browsers like Firefox, Google Chrome, Internet Explorer
Following are some of the files it tried to access:
C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize7\encPwd.jsd
C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize8\encPwd.jsd
C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize9\encPwd.jsd
C:\Program Files (x86)\DeluxeFTP\sites.xml
C:\Program Files (x86)\EasyFTP\data
C:\Program Files (x86)\FTP Now\sites.xml
C:\Program Files (x86)\FTPGetter\Profile\servers.xml
C:\Program Files (x86)\FTPShell\ftpshell.fsi
C:\Program Files (x86)\Fastream NETFile\My FTP Links
C:\Program Files (x86)\FileZilla\Filezilla.xml
C:\Program Files (x86)\Foxmail\mail
C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF
C:\Program Files (x86)\GoFTP\settings\Connections.txt
C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\encPwd.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\encPwd.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\encPwd.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\encPwd.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\encPwd.jsd
C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini
C:\Program Files\NETGATE\Black Hawk
C:\ProgramData\NetDrive2\drives.dat
C:\ProgramData\Syncovery
C:\Softwarenetz\Mailing\Daten\mailing.vdt
C:\Users\IEUser\.config\fullsync\profiles.xml
C:\Users\IEUser\AppData\Local360Browser\Browser\Default\Login Data
C:\Users\IEUser\AppData\Local360Browser\Browser\Login Data
C:\Users\IEUser\AppData\LocalCatalinaGroup\Citrio\Default\Login Data
C:\Users\IEUser\AppData\LocalCatalinaGroup\Citrio\Login Data
C:\Users\IEUser\AppData\LocalChromium\Default\Login Data
C:\Users\IEUser\AppData\LocalChromium\Login Data
C:\Users\IEUser\AppData\LocalCocCoc\Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalCocCoc\Browser\Login Data
C:\Users\IEUser\AppData\LocalComodo\Chromodo\Default\Login Data
C:\Users\IEUser\AppData\LocalComodo\Chromodo\Login Data
C:\Users\IEUser\AppData\LocalComodo\Dragon\Default\Login Data
C:\Users\IEUser\AppData\LocalComodo\Dragon\Login Data
C:\Users\IEUser\AppData\LocalCoowon\Coowon\Default\Login Data
C:\Users\IEUser\AppData\LocalCoowon\Coowon\Login Data
C:\Users\IEUser\AppData\LocalEpic Privacy Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalEpic Privacy Browser\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome SxS\Default\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome SxS\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome\Default\Login Data
C:\Users\IEUser\AppData\LocalGoogle\Chrome\Login Data
C:\Users\IEUser\AppData\LocalIridium\Default\Login Data
C:\Users\IEUser\AppData\LocalIridium\Login Data
C:\Users\IEUser\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
C:\Users\IEUser\AppData\LocalMapleStudio\ChromePlus\Login Data
C:\Users\IEUser\AppData\LocalMustang Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalMustang Browser\Login Data
C:\Users\IEUser\AppData\LocalNichrome\Default\Login Data
C:\Users\IEUser\AppData\LocalNichrome\Login Data
C:\Users\IEUser\AppData\LocalOrbitum\Default\Login Data
C:\Users\IEUser\AppData\LocalOrbitum\Login Data
C:\Users\IEUser\AppData\LocalRockMelt\Default\Login Data
C:\Users\IEUser\AppData\LocalRockMelt\Login Data
C:\Users\IEUser\AppData\LocalSpark\Default\Login Data
C:\Users\IEUser\AppData\LocalSpark\Login Data
C:\Users\IEUser\AppData\LocalSuperbird\Default\Login Data
C:\Users\IEUser\AppData\LocalSuperbird\Login Data
C:\Users\IEUser\AppData\LocalTitan Browser\Default\Login Data
C:\Users\IEUser\AppData\LocalTitan Browser\Login Data
C:\Users\IEUser\AppData\LocalTorch\Default\Login Data
C:\Users\IEUser\AppData\LocalTorch\Login Data
C:\Users\IEUser\AppData\LocalVivaldi\Default\Login Data
C:\Users\IEUser\AppData\LocalVivaldi\Login Data
C:\Users\IEUser\AppData\LocalYandex\YandexBrowser\Default\Login Data
C:\Users\IEUser\AppData\LocalYandex\YandexBrowser\Login Data
C:\Users\IEUser\AppData\Local\360Browser\Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\360Browser\Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Chromium\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\CocCoc\Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Comodo\Dragon\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Coowon\Coowon\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Coowon\Coowon\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\INSoftware\NovaFTP\NovaFTP.db
C:\Users\IEUser\AppData\Local\Iridium\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Iridium\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Mustang Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Mustang Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Nichrome\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Nichrome\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Orbitum\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Orbitum\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\PokerStars*
C:\Users\IEUser\AppData\Local\QupZilla\profiles\default\browsedata.db
C:\Users\IEUser\AppData\Local\RockMelt\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\RockMelt\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Spark\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Spark\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Superbird\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Superbird\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Titan Browser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Titan Browser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Torch\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Torch\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Vivaldi\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Vivaldi\User Data\Default\Web Data
C:\Users\IEUser\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
C:\Users\IEUser\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\.purple\accounts.xml
C:\Users\IEUser\AppData\Roaming\BitKinex\bitkinex.ds
C:\Users\IEUser\AppData\Roaming\BlazeFtp\site.dat
C:\Users\IEUser\AppData\Roaming\Conceptworld\Notezilla\Notes8.db
C:\Users\IEUser\AppData\Roaming\Cyberduck
C:\Users\IEUser\AppData\Roaming\DeskSoft\CheckMail
C:\Users\IEUser\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
C:\Users\IEUser\AppData\Roaming\FTP Now\sites.xml
C:\Users\IEUser\AppData\Roaming\FTPBox\profiles.conf
C:\Users\IEUser\AppData\Roaming\FTPGetter\servers.xml
C:\Users\IEUser\AppData\Roaming\FTPInfo\ServerList.cfg
C:\Users\IEUser\AppData\Roaming\FTPInfo\ServerList.xml
C:\Users\IEUser\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\FileZilla\filezilla.xml
C:\Users\IEUser\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\IEUser\AppData\Roaming\FileZilla\sitemanager.xml
C:\Users\IEUser\AppData\Roaming\GmailNotifierPro\ConfigData.xml
C:\Users\IEUser\AppData\Roaming\Ipswitch
C:\Users\IEUser\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
C:\Users\IEUser\AppData\Roaming\NetDrive2\drives.dat
C:\Users\IEUser\AppData\Roaming\NetDrive\NDSites.ini
C:\Users\IEUser\AppData\Roaming\NetSarang\Xftp\Sessions
C:\Users\IEUser\AppData\Roaming\NexusFile\ftpsite.ini
C:\Users\IEUser\AppData\Roaming\NoteFly\notes
C:\Users\IEUser\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml
C:\Users\IEUser\AppData\Roaming\Opera
C:\Users\IEUser\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\Login Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
C:\Users\IEUser\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
C:\Users\IEUser\AppData\Roaming\Pocomail\accounts.ini
C:\Users\IEUser\Documents\*.bscp
C:\Users\IEUser\Documents\*.kdb
C:\Users\IEUser\Documents\*.kdbx
C:\Users\IEUser\Documents\*.spn
C:\Users\IEUser\Documents\*.tlp
C:\Users\IEUser\Documents\*.vnc
C:\Users\IEUser\Documents\*Mailbox.ini
C:\Users\IEUser\Documents\1Password
C:\Users\IEUser\Documents\Enpass
C:\Users\IEUser\Documents\My RoboForm Data
C:\Users\IEUser\Documents\NetSarang\Xftp\Sessions
C:\Users\IEUser\Documents\Pocomail\accounts.ini
C:\Users\IEUser\Documents\SuperPutty
C:\Users\IEUser\Documents\mSecure
C:\Users\IEUser\Documents\yMail2\Accounts.xml
C:\Users\IEUser\Documents\yMail2\POP3.xml
C:\Users\IEUser\Documents\yMail2\SMTP.xml
C:\Users\IEUser\Documents\yMail\ymail.ini
C:\Users\IEUser\site.xml
C:\Windows\32BitFtp.TMP
C:\Windows\32BitFtp.ini
C:\Windows\Prefetch\DLLHOST.EXE-D6B64AC2.pf
C:\Windows\System32
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\apppatch\sysmain.sdb
C:\Windows\SysWOW64\apphelp.dll
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\winmmbase.dll
C:\Windows\SysWOW64\KernelBase.dll
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.765_none_42efd88044e1819c\comctl32.dll
C:\Windows\SysWOW64\uxtheme.dll
C:\Windows\SysWOW64\winmm.dll
C:\Windows\SysWOW64\IPHLPAPI.DLL
C:\Windows\SysWOW64\dwmapi.dll
C:\Windows\SysWOW64\mpr.dll
C:\Windows\SysWOW64\userenv.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\wininet.dll
C:\Windows\SysWOW64\wsock32.dll
C:\Windows\SysWOW64\ole32.dll
C:\Windows\SysWOW64\oleaut32.dll
C:\Windows\SysWOW64\user32.dll
C:\Windows\SysWOW64\advapi32.dll
C:\Windows\SysWOW64\comdlg32.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\SysWOW64\ws2_32.dll
C:\Windows\WindowsShell.Manifest
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\SHCore.dll
C:\Windows\SysWOW64\bcryptprimitives.dll
C:\Windows\SysWOW64\cfgmgr32.dll
C:\Windows\SysWOW64\combase.dll
C:\Windows\SysWOW64\cryptbase.dll
C:\Windows\SysWOW64\fltLib.dll
C:\Windows\SysWOW64\gdi32.dll
C:\Windows\SysWOW64\gdi32full.dll
C:\Windows\SysWOW64\kernel.appcore.dll
C:\Windows\SysWOW64\msctf.dll
C:\Windows\SysWOW64\msvcp_win.dll
C:\Windows\SysWOW64\msvcrt.dll
C:\Windows\SysWOW64\powrprof.dll
C:\Windows\SysWOW64\profapi.dll
C:\Windows\SysWOW64\psapi.dll
C:\Windows\SysWOW64\rpcrt4.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\shlwapi.dll
C:\Windows\SysWOW64\sspicli.dll
C:\Windows\SysWOW64\ucrtbase.dll
C:\Windows\SysWOW64\win32u.dll
C:\Windows\SysWOW64\windows.storage.dll
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.765_none_42efd88044e1819c
C:\Users\IEUser\Desktop
C:\Windows\Prefetch\COVID_PDF.EXE-37D47B96.pf
C:\Windows\SysWOW64\UxTheme.dll.Config
C:\Windows\SysWOW64\rpcss.dll
C:\Windows\System32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64log.dll
C:\Windows\System32\wow64win.dll
Following are some of the regirstry key changes that it tried to make:
HKCU\������О�����������҉�ќ��Й����М�����Й��я��
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe
HKLM\SOFTWARE\Policies\Microsoft\MUI\Settings
HKLM\SOFTWARE\Policies\Microsoft\Windows\Display
HKLM\Software\WOW6432Node\Policies\Microsoft\MUI\Settings
HKLM\Software\WOW6432Node\Policies\Microsoft\Windows\Display
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKLM\System\CurrentControlSet\Control\Lsa
HKLM\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKLM\System\CurrentControlSet\Control\NLS\Language
HKLM\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKLM\System\CurrentControlSet\Control\Nls\Sorting\Versions
HKLM\System\CurrentControlSet\Control\Session Manager\ResourcePolicies
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKLM\System\CurrentControlSet\Services\afunix\Parameters\Winsock\Mapping
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version
HKLM\System\CurrentControlSet\Services\Winsock\Parameters\Transports
HKCR\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InProcServer32\(Default)
HKCR\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InProcServer32\(Default)
HKCU\Control Panel\Desktop\MuiCached
HKCU\Software\AppDataLow
HKCU\Software\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}
HKCU\Software\Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)
HKCU\Software\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}
HKCU\Software\Classes\Local Settings\Software\Microsoft\Ole
HKCU\Software\Clients
It then tries to post the sensitive information to attlogistics-vn.com
- 9e26d68332abb02fb2e80a924f83eb8614afe4e8b841f51c9f82fd0c986d4571
- attlogistics-vn.com
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV : Autoit.Covid.D
This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions