Scientists revealed another COVID-19 Campaign propelling by Chinese based APT danger entertainers by exploiting the Coronavirus alarm to convey the obscure malware in Windows.

This assault accepted to started by the Long-running APT gathering that objectives different government and private segments, flows assault uses the COVID-19 pandemic to contaminate the people in question and trigger the disease.

Assailants additionally utilizing new hacking devices right now work assault with the suspicious RTF reports.

Also Read:

Gathered proof right now that the RTF archives are weaponized utilizing Royal Road, an RTF weaponize that named by Anomali. At times called “8.t RTF abuse developer which is primarily utilized here to misuse the Equation Editor vulnerabilities of Microsoft Word.

Not many of the noxious records were written in the Mongolian language, with one of them supposedly from the Mongolian Ministry of Foreign Affairs and the report contains data about the new Coronavirus diseases.

Infection Vectors

Once the victim opens the malicious RTF document, the Microsoft Word vulnerability will be exploited and the new file named intel.wll will be placed in the Word startup folder.

infection process

This is one of the new versions of the RoyalRoad armed persistence technique that helps start all DLL files with a WLL extension in the Word Startup folder every time the victim starts the MS Word application and triggers the infection chain.

Additionally, this technique prevents and ends the process of running malware in the sandbox.

After the intel.wll DLL loads, it proceeds to download and decrypt the next stage of the infection chain from the C2 server (95.179.242 [.] 6).

In this next stage also a DLL file that is discovered as the main loader of this malware framework developed by APT actors, to get additional functionality from the other C2 servers.

Share this content with your friends and loved ones on the internet.


Please enter your comment!
Please enter your name here