Corona virus Themed Attack Spreads Malware
An advanced persistent threat (APT) group is the coronavirus pandemic to infect victims with a previously unknown malware that researchers call "Vicious Panda." Researchers found two suspicious Rich Text files, a text file format used by Microsoft products. Once opened, a remote-access trojan (RAT) is executed that takes screenshots of the device, develops a list of files and directories and downloads files.
After the victim opens the specially crafted RTF document, and the Microsoft Word vulnerability is exploited, a malicious file,intel.wll, is dropped into the Microsoft Word startup folder ( %APPDATA%MicrosoftWordSTARTUP ). This serves to persist the malware and prevents the infection from fully activating if run inside a sandbox since a relaunch of Microsoft Word is required for the full execution of the malware. The file, intel.wll, then downloads a DLL file, which serves as the loader for the malware, and which also communicates with the hacker's command-and-control ( C2 ) server.
The hacker operates the C&C server in a limited window, going online only for a few hours each day, making it harder to analyze and gain access to the advanced parts of the infection chain. At the final stage of the infection chain, after the appropriate command is received, the malicious code downloads and decrypts a RAT module and loads it into memory.