Netwalker Ransomware Infecting Users via Coronavirus Phishing (Mar 21, 2020)
MalwareHunterTeam researchers have identified email attachments in Coronavirus phishing campaigns being used to distribute the Netwalker ransomware. Netwalker is a variant of the Mailto ransomware family that has been seen targeting businesses and governments agencies. Phishing campaigns contain a Visual Basic script (vbs) as an attachment named “CORONAVIRUS_COVID-19.vbs”, where an embedded Netwalker ransomware payload is stored waiting to be executed. Netwalker will encrypt all files and append them with a random extension. The ransomware will avoid ceasing endpoint security software as a likely method to evade detection. Once encryption of files is complete, a ransom note will be dropped on the machine which instructs user’s how to pay the ransom via a Tor payment site.
Recommendation: COVID-19 themed is consistently being the focus point of recent malspam campaigns as a result of pandemic, which is why individuals must be vigilant to prevent being exploited by it.Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.