Like every time there is a news item of global interest, it is used by cybercriminals as bait to induce their victims to click on the links that serve as infection vectors for malware. In this case, as you can already deduce, the bait has been Coronavirus. The announcement was made public by Check Point and named it Vicious Panda and is especially aimed at the Mongolian public sector. The group to which the attack has been linked appears to be a Chinese group related to attacks on countries such as Ukraine, Russia and Belarus.
The ultimate goal of this malware is to infect the system with a remote access Trojan. This Trojan, once installed on the victim’s computer, will give the attacker full access remotely, being able to access files, passwords, etc. that exist on the affected system.
The computer infection process is carried out thanks to the vulnerabilities (CVE-2017-11882, CVE-2018-0798) existing in the Microsoft Word equation editor. To do this, an RTF file is sent to the victims of the Mongolian public sector that allegedly contains information on the subject of coronavirus.
This file is specially designed by attackers to exploit the aforementioned vulnerabilities, so that, after exploiting the vulnerability, the initial malware payload is executed. This ‘payload’ is responsible for creating a file called ‘intel.wll’ in the directory, being a persistence technique that allows malware to run every time a Microsoft Word document is opened.
What this malware called Vicious Panda can cause to our computers
The system’s remote control module allows attackers to perform the following actions:
▸Get a list of files and directories
▸Take screenshots
▸Create and delete directories
▸Download files
▸Move and delete files
▸Run new processes
▸Get a list of configured services
Many cybercriminals are carrying out campaigns of these types due to the popularity of the search for the Coronavirus, for this it must be borne in mind that you should not fall for these tricks and the best thing you can do with these emails is to ignore them.
See also:
Potential Hoaxes Using Coronavirus Fake News
Cybercriminals are targeting health institutions
[…] also:Vicious Panda – Malware that uses the pandemicThe increase of cyberattacks estimated for this […]