Malicious Actors Produce Coronavirus-Themed Malware

Some cybercriminals have been taking advantage of the Coronavirus hysteria by distributing Remcos RAT and malware payloads on targets’ computers. Operating under a phishing campaign, the criminals disguise the malicious file under a PDF that promises Coronavirus safety measures.

Cybaze/Yoroi ZLAb initially discovered the suspicious file after it entered the company’s file analysis service. Research by the security team has revealed that the executable file is an obfuscated Remcos RAT dropper that runs together with a VBS file executing the malware.

According to BleepingComputer, “The malware will also gain persistence on the infected device by adding a Startup Registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce which allows it to restart itself after the computer is restarted”

After the malware is set up, it captures the victim’s keystrokes and logs them in a log.dat file in a temporary local \onedriv folder.