Recently, Check Point researchers have detected malware for Windows that uses the coronavirus (COVID-19) to infect its victims. This malware campaign has been dubbed 'Vicious Panda', and its main objective is the public sector in Mongolia.
Investigation has revealed previous attacks carried out by the same group that is behind the 'Vicious Panda' campaign. These attacks were carried out in 2016 with targets from different sectors in different countries, such as Ukraine, Russia and Belarus.
'Vicious Panda' uses false RTF documents about coronavirus that, when opened in Microsoft Word, exploit the vulnerabilities of the equation editor and execute the malware's initial payload.
The ultimate goal is to infect the system with a Remote Access Trojan (RAT). Once installed on the victim's computer, this Trojan will give the attacker full remote access, allowing them to access files, passwords, etc., present in the affected system.
The computer infection process is carried out thanks to the vulnerabilities (CVE-2017-11882, CVE-2018-0798) existing in the Microsoft Word equation editor. To achieve infection, an RTF file is sent to victims from the Mongolian public sector that allegedly contains information on a topic of interest. In this campaign, the chosen topic of interest was COVID-19, popularly known as Coronavirus.
This file is specially designed by attackers to exploit the aforementioned vulnerabilities, and once it has done so, the initial malware payload is executed. This payload is in charge of creating a file called 'intel.wll' in the directory %APPDATA%\Microsoft\Word\STARTUP.
Adding a malicious file to Word's home directory is a persistence technique, which allows malware to run every time a Microsoft Word document is opened. The extension '.wll' indicates that this file is a DLL that must be executed when opening a document.
The main objective of 'intel.wll' is to download a new encrypted malicious DLL from the control server. This DLL is responsible for loading the actual malicious payload developed by the attackers. Its name is 'minisdllpub.dll' and it is executed using the Rundll32 binary.
The downloaded DLL, 'minisdllpub.dll', acts as 'loader', which initially downloads the final malicious module of the RAT and then runs it. The RAT’s final module is given the name 'mdll.dll'.
The functioning of the DLL that acts as a 'loader' means the malware's functionality can be updated by attackers, or even that new DLLs that expand the initial functionality can be downloaded, making this Trojan able to work with a plugin-based structure, where each plugin is a DLL that can execute different functionality.
The system's remote control module allows attackers to:
- Take screenshots
- Get a list of files and directories
- Create and delete directories
- Move and delete files
- Download files
- Run new processes
- Get a list of configured services
First of all, 'minisdllpub.dll' creates a mutex named 'Afx:DV3ControlHost'. This allows it to detect if this module is already running, thus preventing multiple instances of the malware from running. This string, used as the name of the mutex, is interesting for the detection of new samples.
Strings used to resolve Windows API functions
In addition, the library that acts as a 'loader' dynamically loads the libraries it needs and stores the pointers to the Windows API functions it needs in its own structure. This makes analysis difficult, since we will not have direct references to the Windows APIs that it uses, nor will we be able to know what they are until we run the sample.
It then connects to the control server and downloads the DLL that executes the RAT. This DLL is encrypted, so it is decrypted after download using the XOR operation and the key present among the text strings.
XOR decryption key
The downloaded and encrypted malicious DLL and its decrypted version are stored in '%APPDATA\Microsoft\', in different files with the extension '.tmp', as can be seen in the following image.
Code that prepares the paths in which the malicious DLL is downloaded and decrypted
After the malicious DLL loads the malware continues to run, waiting for commands provided by the control server that allow attackers to steal interesting information from the infected system.
As we can see, the use of current affairs is often exploited by attackers to get victims to open and execute their spam campaign files. In this case, criminals have used the topic of the moment, the coronavirus pandemic, which is a topic of interest around the world today.
We are dealing with a RAT-type Trojan that provides remote access to attackers. They can take screenshots, access files stored on the system and download files, which means it gives them almost complete control over the infected system. Although functionalities that steal banking or other credentials are not included in this case, that type of functionality can be added at any time. As we have seen, this malware works using DLLs, so all it needs is to add a new DLL that implements 'banker' functionalities. They could even be added in the DLL that implements the RAT functionalities.
But it is not only that this specific malware could evolve into a 'banker'; other Trojans, if they are banking Trojans, could use the strategy of this RAT to infect their victims. In fact, a significant portion of banking malware is distributed through SPAM email campaigns, and they routinely use popular and interesting topics to increase their chances of success.
We must be very wary of the emails we receive and avoid opening attachments. This is even more true now, when we are working from home and receiving a significant number of emails.