The world is currently living through an exceptional situation due to the current Covid-19 coronavirus pandemic. To try to stop the spread of the virus, a large number of companies all over the world have started a new regime of telework. This circumstance has significantly increased the attack surface, representing a great challenge for companies when it comes to cybersecurity, as they need to establish protocols and follow a series of measures to ensure that their business and IT systems work properly.

However, the increased attack surface isn’t the only cyber-risk that has emerged in the last few days; many cybercriminals are actively taking advantage of this global uncertainty to carry out phishing campaigns, spread malware, and endanger many companies’ cybersecurity.

An APT exploits the pandemic

Towards the end of last week, an APT group, called “Vicious Panda”, was discovered carrying out a spear phishing campaign that exploited the pandemic to spread its malware. The emails claim to contain information about coronavirus, but in fact contain two malicious RTF (Rich Text Format) files. If the victim opens these files, a RAT (Remote Access Trojan) is launched, which is capable of taking screenshots, creating lists of files and directories on the victim’s computer, as well as downloading files, along with other capabilities.

So far, the campaign has been seen targeting Mongolia’s public sector, and it seems to be the latest attack in a continuing Chinese operation against various governments and organizations around the world. This time, the special feature of the campaign is its use of the novel world situation to try to infect its victims.

The email is designed to look like it comes from the Mongolian Foreign Ministry and claims to contain information about the number of people infected by the virus. To weaponize this file, the attackers used RoyalRoad, a popular tool among Chinese threat actors, which allows them to create custom documents with embedded objects, which can exploit vulnerabilities in Equation Editor, the tool used to create complex equations in Word.

Techniques to gain persistence

Once the victim opens the malicious RTF files, a vulnerability in Microsoft Word is exploited to download a malicious file (intel.wll) to the startup folder of Word (%APPDATA%\Microsoft\Word\STARTUP). With this technique, not only do they gain persistence, but they also stop the whole infection chain from detonating if it is being run in a sandbox, since Word needs to be relaunched to fully run the malware.

The intel.wll file then downloads  a DLL file, which is used to download the malware and to communicate with the cyberattacker’s C2 server. The black hat only operates the C2 server for a limited period each day, which makes it harder to analyze and access the most advanced parts of the infection chain.

Despite this, researchers have been able to see that the first stage of this chain downloads and decrypts the RAT once it receives the command, and also downloads the DLL, which is loaded into memory. The architecture, which is similar to a plugin, suggests that there are other modules, in addition to the payload seen in this campaign.

Protection measures against the new APT

This malware campaign has many tricks to get onto its victims’ systems and to endanger their cybersecurity once it is in. To protect against such campaigns, it is important to follow a series of measures.

The first of these is extremely important: it is vital to be careful when receiving emails. Email is one of the main attack vectors, and it also one that companies cannot do without. If you receive an email from someone you don’t know, don’t open it, and above all, don’t open any attachments or click on any links.

This attack uses a vulnerability in Word to endanger its victims’ cybersecurity. In fact, unpatched vulnerabilities are the cause of many cyberattacks, and they also cause a great deal of data breaches, along with other security issues. This is why it is so important to apply the relevant patch as soon as possible.

To remedy these problems, Panda Security has a solution specifically designed to help identify, manage and install patches. Panda Patch Management automatically searches for the patches needed to keep your company’s computers safe, prioritizing the most urgent updates and scheduling their installation. Pending patches are reported even in exploit and malware detections.

Panda Patch Management immediately launches the installation of these patches and updates, or they can be scheduled from the console, isolating the computer if necessary. This way, you can manage patches and updates to ensure that your company can run smoothly. And you’ll complete your protection system to shield your assets. Find out more about Panda Patch Management here.

Unfortunately, this cyberattack will not be the last to take advantage of the current global situation to jeopardize organizations’ cybersecurity. Protect your organization by taking precautions and using advanced cybersecurity solutions such as those provided by Panda Security.