COVID-19-Makes Hay a Pandemic Malware

COVID-19-Makes Hay a Pandemic Malware

COVID-19-Makes Hay a Pandemic Malware

Special thanks to Prival Rao, Oliver Devan, Shannon Cole, Ankit Goel and members of Malware Research for their contributions and monitoring of related threats.

As COWID-19 continues to spread around the world, it is not surprising that the authors of malware are exploiting the pandemic. McAfee recently blogged about Covid-19 threats – To stay safe while working remotely, COVID-19 Threat Update Now now includes blood for sales and the transition to mass teleworking. The first describes how attackers plan to use the pandemic as an opportunity to attack organizations, the second gives a preliminary overview of how attackers are using public fear to seize the drug, help manage the disease and seek coverage, and the third gives some advice to organizations on how to test their safety checks. In this blog we will continue to discuss the thematic attacks on KOVID-19 and how we can remain vigilant.

The quarantine weeks forced individuals and organisations to quickly adapt to the home model. You spend a lot more time indoors and on the internet, and you keep worrying about when your life will return to normal. Currently, we continue to fight a deluge of pandemic-related articles by managing the supply and demand of household goods in shops and on the internet, as well as the lack of medical supplies such as preventive masks, gloves and disinfectants. These are difficult times for us and a holiday for fear of malware vendors.

In the final months of 2020, McAfee researchers worked hard to ensure the security of our customers by better monitoring and adapting our detector stack to better manage the COVID 19 threat landscape. This report is not exhaustive due to the breadth of the ever-expanding landscape of COVID-19, so we will cover some of the threats targeting malware, spam and malware/URL scam campaigns.

This blog is designed to remind customers of the different levers that are present in our finished products and our extensive portfolio, such as McAfee’s Unified Cloud Edge. Read our Recommendations section and consult our IOC section (a partial IOC list based on this article), the Expert Rules section (includes various tactics based on this article). McAfee uses a variety of internal and external methods to identify sources of malware, including collaboration with other industry partners through the Cyber Threat Alliance.

Table of Contents :

Time measurement

The timeline below shows a subset of common malware families detected in our spam channels, with links to COVID-19/Coronavirus. The malware in this timeline has been selected based on its ability to cause damage (e.g. ransom programs) or spread (e.g. to arouse emotions for spam or other wormlike activities).

The weekly breakdown of all known VIDOC-related STBs is shown below.

Malicious program

This section examines a subset of the malware family included in the chronology above and shows the different CIOs associated with this virus. A more complete list of IOCs can be found under IOC.


The first threat we saw when we took advantage of the pandemic was Ursniff. Ursnif is a banking Trojan horse that is supposed to steal bank records and gets stronger every day. The Ursnif collects information about the victims’ system activities, records keystrokes and monitors network traffic and browser activity.

We have seen that Ursniff has been using the filename COVID-19 since January 2020 to attract users.

When executing a VBS file it starts the dll in C:ProgramdataFxrPLxT.dll and executes the .dll with rundll32.exe. The DLL is integrated in iexplorer.exe and communicates with its C&C server via http confirmation requests.


Come on in. IOC Comments
Sha256 e82d49c11057f5c222a440f05daf9a53e860455dc01b141e072de525c2c74fb3 Movie: Coronavirus_Disease_COVID-19__194778526200471.vbs
Sha256 8bcdf1fbc8cee1058ccb5510df49b268dbfce541cfc4c83e135b41e7d15 d Ursnif Dill


Technical data sheet Tactics Technical Information
T1059 Design Command line interface
T1129 Design Execution by loading modules
T1085 Bypassing the defense, execution. Randle32
T1060 Perseverance Registry version key / Start folder
T1055 The leakage of defense, the escalation of privilege… Process injection


Fareit is an information theft program that steals data from web browsers, FTP programs, e-mail clients and more than 100 different programs installed on an infected computer. We’ve seen several phishing emails called COVID/Coronavirus. Some of them are presented below.

Spam rate 1:


Come on in. IOC Comments
Sha256 da1443a25f433e23a43d35d50d328a4f935d3cce840f1e3cca99b6bd6d49ed6a7 Waste from the binary system
Sha256 9f4bb022b49bd6ba076e9408139648d2dd2f0dd5ca14644e5b2982b5e40 Electronic mail


Incisional identification technique Technology Technical Information
T1193 First access Anchor for harpoon fishing
T1106 Design Execution via API
T1130 Bypassing the defence Installing the root certificate
T1081 access to credit References in the files
T101 Opening Registration of applications

Rate spam 2:


Come on in. IOC Comments
Sha256 2faf0ef990 0a05ed77fc20b55e89dc0e1a23ae86dc19966881a00704e5846 Annex
Sha256 38a51224705bfea131c1f77b3bb233478e2abd3bf99a7933dbe11dbe3c Electronic mail


Incisional identification technique Technology Technical Information
T1193 First access Anchor for harpoon fishing
T1106 Design Execution via API
T1130 Bypassing the defence Installing the root certificate
T1081 access to credit References in the files
T1012 Opening Registration of applications
T1071 ALL ASPECTS Standard application layer protocol

Spam rate 3:


Come on in. IOC Comments
Sha256 1 34cda4a55c8adb663fbcdd4b1f1018715dd737d3089a73840b77e5e76 Waste from the binary system
Sha256 45c6440bdd7b49023bb42f9661caae3b12b579dfd5ae9e64421923ef452a0faf Electronic mail
Sha256 095bfab52666648ff4d2636a3718a28eab4d99a6c178a8c7912197221d195 Electronic mail


Incisional identification technique Technology Technical Information
T1193 First access Anchor for harpoon fishing
T1106, T1204. Design API execution, user execution
T1060 Perseverance Registry version key / Start folder
T1130 Bypassing the defence Installing the root certificate
T1081 access to credit References in the files
T1012 Opening Registration of applications
T1114 Collection Email collection

Spam rate 4:


Come on in. IOC Comments
Sha256 f8e041bed93783bd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e Waste from the binary system
Sha256 9e17f5e70c30ead347b68841fa137015d713269add98f0257fb30cc6afdea4fe Annex
Sha256 ada05f3f0a00dd2ac91e24eb46a1e719fb08838145d9ae7209b5b7bba52c67 Electronic mail


Technical data sheet Technology Technical Information
T1193 First access Anchor for harpoon fishing
T1204 Design Execution by the user
T1071 Command and control Standard application layer protocol

COVID-19 Redemption

No wonder there’s a new family of ransom software on the scene. Afterwards, Ransomware-GVZ removes shadow copies with vssadmin and then continues encrypting all file types without spikes.  As soon as the whole folder is encrypted, the refund notes file below will be created.

Ransomware-GVZ also creates a screen lock component so that the next message is displayed when the computer restarts.


Come on in. IOC Come on in.
Sha256 3299f07bc0711b3587fe8a1c6bf3ee6bcbcc14cb775f64b28a61d72ebc8968d3 Binary


Technical data sheet Tactics Technical Information
T1486 Influence The data is encoded
T1083 Opening File and folder recognition
T1490 Influence Restoration of an inhibiting system


Another common threat spread by phishing emails is the emotet. We have reviewed the distribution of the following e-mail, which has been translated into English:

The object:

Break!!!!! Decision COVID-19 announced by the WHO at the end As a recognised comprehensive control method

The most important part of the e-mail:

As published in the World Health Organization newsletter 3/17/2020 7:40:21 A new joint study identified and studied antibodies to the Covid 19 virus. These antibodies could be used to develop effective universal treatments for many different types of Covid 19 viruses. The results were recently published in the journal Microbiology of Nature.

They are based on natural activity and how heat has helped inhibit the growth of viruses.

The Covid 19 virus causes a serious disease with a high mortality rate in humans. Various strategies have been developed for the treatment of the KOVID-19 viral infection, including ZMapp, which has been shown to be effective in non-human primates and inferior to human treatment protocols.

Please download the full text in an attached document …

Also share with all your contacts for a quick skin test.

The letter contains a zipped executable file from Emotet, which after execution uses the technique to delete the injection process in regasm.exe. He will then contact his C&C server and send spam.


Come on in. IOC Comments
Sha256 ca70837758e2d7 1fae20396dfd8 3597d4e606758a02642ac784324eee6 Annex
Sha256 702feb680c17b00111c037191f5dad1b55db006d9337e883ca48a839e8775 Electronic mail


Technical data sheet Tactics Technical Information
T1121 Bypassing the defense, execution. Plans/ schedules
T1093 Bypassing the defence Completeness of the technological process



Azorult is a malicious program that steals data from the victim’s computer, including usernames, passwords, encrypted currency, browser history and cookies. It can also download additional malware to the victim’s computer. The difference between Azorult and the other malware described in this report is that the creators of Azorult created a fake website with a corona infection card […]com. A fake website looks like this:


Come on in. IOC Comments
Sha256 c40a712cf1eec59efac42daada5d79c7c3a ed5fbb9315bfb26b58c79b7a2 Domain jar file
URL ADDRESS H**p://corona virus  
Sha256 63fcf6b19ac3a6a232075f65b4b58d69cfd4e7f396f573d4da46aaf21 2564 Waste from the binary system


Incisional identification technique Technology Technical Information
T1059 Design Command line interface
T1012 Opening Registration of applications


Another buy-back tool using COVID-19 is Netwalker. Ransomware used the filename CORONAVIRUS_COVID-19.vbs to entice users to run it. The VBS file contained the load of the integrated ransom software.

When vbscript is executed, the ransom program jumps into C:UsersAppDataLocalTempqeSw.exe and executes.

It uses vssadmin.exe to remove shadow copies from the computer to make file recovery more complex.

The veiled Vbscript is presented below

COVID-19-Makes Hay a Pandemic Malware

The blackmail program goes through the folders of the infected computer and encrypts the files. After encryption, the file extension becomes .1fd385. The ransom demand is also placed in each folder where the files are encrypted. This note is presented below.

COVID-19-Makes Hay a Pandemic Malware


Come on in. IOC Comments
Sha256 9f9027b5db5c408ee43ef2a7c7d1aecbdb244ef6b16d9aafb599e8c40368967 CORONAVIRUS_COVID-19.vbs
Sha256 8639825230d5504fd8126ed5b2d7aeb72944ffe17e762801aab8d4f8f880160 Waste from the binary system


Technical data sheet Tactics Technical Information
T1204 Design Execution by the user
T1064 Design Scenario
T1106 Design Execution via API
T1490 Influence Restoration of an inhibiting system
T1486 Influence The data is encoded

Nanocor RAT

NanoCore is a Remote Access Trojan (RAT), and its highly customizable plug-ins allow attackers to customize its features to their needs. This Kovid-19 is also used for the distribution of e-mails on subjects such as the urgent precautions to be taken for the Kovid-19.

COVID-19-Makes Hay a Pandemic Malware


Come on in. IOC Comments
Sha256 ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730 Waste from the binary system
Sha256 89b2324756b04df27036c59d7aaaaef384c5bfc98ec7141ce01a1309129cdf9f ISO fixation
Sha256 4b523168b86eafe41acf65834c1287677e15fd04f77ea3d0b662183ecee8fd0 Electronic mail


Technical data sheet Technology Technical Information
T1193 First access Anchor for harpoon fishing
T1053 Design Planned target
T1060 Perseverance Registry version key / Start folder
T1143 Bypassing the defence Hidden window
T1036 Bypassing the defence Masquerade
T1497 Bypassing the defence Virtualization/sandbox derivation
T1012 Opening Registration of applications
T1124 Opening Detection of system time
T1065 Command and control Unusual port


The Hancitor Trojan also uses COVID-19 themes for his distribution, disguised as an e-mail from an insurance company. The email contains a link to download a fake invoice, which is used to download a DDPS file.

When VBS is started, the Hancitor dll temp_adobe_123452643.txt is created in the %AppData/Local/Temp folder. The DLL is executed using Regsvr32.exe and then starts interacting with its C&Cs.


Come on in. IOC Comments
Sha256 2f87dd075fc12c2b6b15a1eb5ca209ba056bb6a2feaf3518163192a17a7a3 Downloaded binary file
Sha256 0caef2718bc7130314b7f08559beba53ccf00e5ee5aba49523fb83e1d6a2a347 Downloaded binary file
Sha256 375d196227d62a95f82cf9c20657449ebea1b512d4cb19cdfe9eb8f102d9fa Downloaded binary file
Sha256 800734669a7dbc6e67f93e268d827b5e67d4f30e33734169ddc93a026 Downloaded binary file
Sha256 9c40426f157a4b684047a4284f882618d07dc5154cf1bf89da5875a00d69c Electronic mail


Technical data sheet Technology Technical Information
T1192 First access Harpooning reference
T1064 Design Scenario
T1117 Design Regsvr32
T1071 Command and control Standard application level


Thermal card

This thermal detection map shows images from various countries where McAfee has observed the detection of known IOCs since mid-January. We have seen cases of discovery in almost every country affected by the COWID 19 pandemic.


Every day thousands of COVID-19 spam messages are sent. They range from health care fraud to extortion. Here are some examples of what we’ve seen.


In recent weeks we have seen some malicious URLs with links to COVID-19 and a spike in the coronavirus. A few weeks ago, the number rose from 1,600 to over 39,000 in week 13. This underlines the importance of vigilance when clicking on links and visiting websites, as the number of malicious websites is increasing exponentially.

COVID-19-Makes Hay a Pandemic Malware

These are examples of malicious websites we have. Fake advertising is a common practice during these pandemics. At the time of writing this article there were no quick test kits yet. In addition, the tests are initiated by health professionals, so it is important to teach yourself and others not to cheat.

Below is an example of a fake website offering coronavirus testing.

The masks were very popular and were left behind in many places. Moreover, there is a lack of masks, even in the medical world. In times of panic and scarcity, spammers often send links to fake websites that claim to own medical devices. Here’s a screenshot of a fake online mask shop.

The ERT provides categorization and classification of links used for malware, phishing, fraud, etc. McAfee products use GTI to protect URLs. In addition, McAfee Unified Cloud Edge provides secure access and extends the security capabilities of your URLs.

Read an example of a McAfee researcher using 3D printing of masks and shields.


Below is a partial list of the IOCs we observed on the spot during the Covida-19 eruption. The IOC in this section represents a subset of the solutions found by McAfee. We have broader coverage through GTI Cloud, Gateway, ATP and other products in our portfolio.

Come on in. That means
SHA256 2ec4d4c384fe93bbe24f9a6e2451ba7f9c179ff8d18494c35ed2fe129e7fa
SHA256 7e52f7a7645ea5495196d482f7630e5b3cd277576d0faf1447d130224f937b05
SHA256 69724a9bd8033bd16647bc9aea41d5fe9fb7a83c5d6fbb439d21b7b9f53f6
SHA256 f92fecc6e4656652d6d1e63f29de8bfc09ea6537cf2c4d01579dc909ba0113
SHA256 a5ab358d5ab14b81df2d37aedf52716b5020ab45da472dedc8b8330d129d70bf
SHA256 8028f988c145b98dd4663d3b5ec00435327026a8533924f7b8320c32737acf4
SHA256 aab93bf5bb 9a96f93a5340808a7fa2cebf4756bd45d4ff5d1e6c8bdccf75d
SHA256 2e93fe77fafd705e6ca2f61f24a224af2490e0a3640ed53a17ea4bf993ec8
SHA256 f850f746f1a5f52d3de1cbc510b5778899fc8f9db17df7b3 67b0cf71
SHA256 dd78b0ecc659c4a8baf4ea81e676b1175f609f8a7bba7b2d09b69d1843c182cb
SHA256 e352c07b12ef694b97a4a8dbef754fc38e9a528d58c37eabe43f384a8a519
SHA256 e82d49c11057f5c222a440f05daf9a53e860455dc01b141e072de525c2c74fb3
SHA256 8bcdf1fbc8cee1058ccb5510df49b268dbfce541cfc4c83e135b41e7d15 d
SHA256 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8
SHA256 002c9e0578a8b76f626e59b755a8a8a8aac18b5d048f1cc76e2c12f68bc3dd18b124
SHA256 da1443a25f433e23a43d35d50d328a4f935d3cce840f1e3cca99b6bd6d49ed6a7
SHA256 08c1aca51ae6917ed138ec70cc7768b935d13fbd743e85191877006626fdc530
SHA256 a9864b548d75333efd8fb000347bc715c7430e24f37f37f5bbde4f2adf39
SHA256 8deb9fb53096d6ea5e2090b62244293829096ee03d06108deb15e496a807e
SHA256 c3477ca9a5eb3188fe2bd412830163f44b0954573d225736c530dd5fd2
SHA256 3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a
SHA256 1 34cda4a55c8adb663fbcdd4b1f1018715dd737d3089a73840b77e5e76
SHA256 bc03c23a46a545addd1831e133b74bd2e62eb920041f18a23ec9719ea052e642
SHA256 8075381d210f7e79ee387927b7d6d690521c01ba6d835d07c4e8f023b3c164ce
SHA256 75d7d989deea561443c1c204ad22537d0c131f57820594ab5f07baba16dbc58b
SHA256 0cc54663439a55191b77e0735b7460a7435dc01542e910d75eae20ce7b513e5
SHA256 c40a712cf1eec59efac42daada5d79c7c3a ed5fbb9315bfb26b58c79b7a2
SHA256 63fcf6b19ac3a6a232075f65b4b58d69cfd4e7f396f573d4da46aaf21 2564
SHA256 ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730
SHA256 9f9027b5db5c408ee43ef2a7c7d1aecbdb244ef6b16d9aafb599e8c40368967
SHA256 8639825230d5504fd8126ed5b2d7aeb72944ffe17e762801aab8d4f8f880160
SHA256 0caef2718bc7130314b7f08559beba53ccf00e5ee5aba49523fb83e1d6a2a347
SHA256 375d196227d62a95f82cf9c20657449ebea1b512d4cb19cdfe9eb8f102d9fae
SHA256 800734669a7dbc6e67f93e268d827b5e67d4f30e33734169ddc93a026d2e
SHA256 12f87dd075fc12c2b6b15a1eb5ca209ba056b6a2feaf3518163192a17a7a3b
SHA256 f8e041bed93783bd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e
SHA256 ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730
SHA256 da1443a25f433e23a43d35d50d328a4f935d3cce840f1e3cca99b6bd6d49ed6a7
SHA256 3386dc7dc67edd5e84244376b6067e914a1cc1fc7fd790a6a6875 24
SHA256 3fc33b537fb38e1f586ddb3ebbbe152458dcde336c2f26da81d756e290b5ef00
SHA256 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d2902732
SHA256 4308348fee6bfe64a9ef23bb9c32cb319bcdf5cf78ddfda4a83dadea4b8e
SHA256 ba4297978b6a6b5fe2b6c32ead47bd1f2e2f549beed5cd727eb9ae3fed6b6a
SHA256 c9d3c250ab6d8535b7a4114a545f bc24e4e277640c59b755f38727885
SHA256 37354a04f6d423809602e198e590469173cc8e930cc7fdd4da2c207297725
SHA256 3a7a8518b41dd6c05289a08974c95a0038be4e5d1b0588edfd0589fcf22b f
SHA256 ea3a0a0a223474592635d1fb7a0731d28a96381ad2562e3e064f70e2d4830c39d
SHA256 140da6b610a45f84c6438207ab11942d79eb3783155181 7baae80cfff4593
SHA256 2c9c1e04d806ad8890dd6bf4477efb4ea6c78b8185a9996876bcaea568a04e70
SHA256 8a724fc60bde73869479751d6c63a7ed1caa03518b8f26b9acb36d5c1b29930
SHA256 d76598020228492758a11e534e45924311aef681cb5859f701cd457b6b871c2d06
SHA256 d8183919d675978d58cd1f134768f88adeea9ce53b167c917e54ffff855c6d9f9f9f9f9f9
SHA256 ac416780fa4aa340ff2787e630351c5813faceb823424817eb1 2254b785d
SHA256 3cd099efe4cb426fdc6276380c224b5478d0841c5c44d2c0a088d039d529d258
SHA256 c135f36d3346699e6d2bf9f5f5f638fd9475c0b12144a15a0652b8f1ebb25c12
SHA256 49cfa1b3cbe2bf97079c0dd f604e3f2e7d9fb6d41128a9889e068a884f6
SHA256 5e20a0ab563950eab76c023101b1dd374becac2a5149a74320b23b59a7f16256
SHA256 7a9f24999978c959e1f11f2992a8ce4a70ba333c8dbdc2638c780bbe62de4808e
SHA256 c6dc408d60c2354a13e835bf826300a6d5258b72b8826e8c46d946cbc1f0b455
SHA256 04584ee8b3ba565541cb0f4d8787ed6e8942b6bdec5b1acdc03488b93aeb3cb
SHA256 b283e4f841e328f0cc12ebdf76aafb819ebadba7df863681994b69697731cf96
SHA256 adde95e8813ca27d88923bd091ca2166553a7b904173ef7a2c04bb3ddf8b14a9
SHA256 bf178911f2c063c9592020652dc22076d02ca87d14a7ed7862074d334470ae32
SHA256 39833de93f55641fdf8cfe980e40a0bf52ce8b022735e8ebc4f08cb19104
SHA256 aa6ceb17ced471e1695c99c0718bc24c710311f0daa256cb0783d82218d772c9
SHA256 f7209d1099c75acccbef2945027 21fd78ad52176f07a8a93a9e6ea7f
SHA256 eab14b1bfa737644f14f7bb7ace007d418230285364e168e35bd718a6517b316
SHA256 b34f4ec4ae8d66b030f547efe3acc2a7ab564f78aac68719ec91dab613bb3
SHA256 006dc4ebf2c47becdc5849116272899014717a d76fefa9b7eb83937c60b
SHA256 e17dca7c2c05139fc81302e76e aa29368b60cb147208cb5cc8df113f6f6
SHA256 2e47f37bef4dea338e366ce30fe54888e5aa2d47a5c0db4a3c3e9e5c25f8ace
SHA256 21182b7834a7e13033be7b370a68b3d3639f4cae12fe80e2a908404cbd4cd324
SHA256 46f81af256c630969f55554ea832037bc64df4374ec0f06ac83a1c4b89869314
SHA256 89a0147dec8d6838f14815b577ae41dbcf54953c66e7f5f5f5f999ab91fea6ec08fa
SHA256 2f3ee4688a3 d249b8426f46e392d9c55b85bfad9fb31fb362eb32d38bd9b3
SHA256 f2a2bea86ce1a4803345b4a46824c25d383a0b40b10bb69e528c72305552a2a2a2a2a2a2a2b
SHA256 698eb726345c71eca7b4a531bfa76ab6e86ef10 43a727fb5866a84ec79289
SHA256 92af9c8c539ff9f99f79cce8453b1c483d117c095e2e0ffe384d96e35f72dc8b
SHA256 7cf8f24d7e8b1e2f63bfa7a18cd420a03fff44126e80aed8cb90fba3c4e986ac
SHA256 1e4b01e3e146ff01a3782b01680a5165432af56331d599ec6ad35b4983b216f
SHA256 cba1c3070f76e1a2705afee16bd987b6a8ffa45900cab8cf3b307f60a7b89ac9
SHA256 e32cca6446f2ddd8430400b16fc171ab3163cf8222669d7d9144e9c85904d5f5
SHA256 8c d6876a6c7fe4496288356f48615ee67f4544872ec98f47edcf516509
SHA256 a080d763c60efd4ef2781ad309 97d1092ac726707366d92d647f26ee2965f
SHA256 9d58ca5383f5dc837ca9d4251d247bed4ead4a6b9 aae30568be80e20543
SHA256 345d8b4c0479d97440926471c2a8bed43162a3d75be12422c1c410f5ec90acd9
SHA256 39c17475bdb01901010453085830e7f8aa1ef41ca18298982491306fcf75166b8e08
SHA256 bdcef0f16c70086414ff95b69fdbbe7eb 814308d3d60143b6c04dfc077257
SHA256 7a97fc7bdd0ad4ef4453c2e52e8f44dee9b4e91ff3b5518e311ef1ebac3b667
SHA256 2437ef90b60cf3d6bd0c3eebf3f41ed1e403bc31b024b52b0f41ec648d80a583
SHA256 a537c75de9a95be0c071fd6437cbaf3696752f02c3cd5afacc47c4c755f75
SHA256 9367f3ea7460ae40ca69d41398327f97136a93656ef5fad1285a 2f81522a4
SHA256 78cf7ea3c1da98941e164f4ac3f75b57e9bce11467bc5a6c6877846f1adcf150
SHA256 e55efa92d87484cf6b251f2302a0c0c0c0c7650acd7ea658bf9997bf761b64fe472a
SHA256 51f b151bde97ebeb813d6eed8a11f02551a6530049f53dc29fc1a20b6699d
SHA256 e382ee1ce1ce9d99d99f4e8e18833bac121c14ee2e5dc29a8b5382ca5b4eda9db7f1aaaa
SHA256 e25 77e47e7809086dd35a2767f9ef557591dd0 ce96ef4071e4f c670
SHA256 50a3bea4b9686bcf5cac144d4fc18aaa178f66c8368205f9065cda2c41f026
SHA256 722a60dfd59a595daaa487f2fb759ef6f9ccaabcdf20605d5ae9450cba4a9b9b2
SHA256 1c3532d143212078e204d 1a782deacd58e8f0e7253472e0509491fd1e5201
SHA256 980de93ad93ecaabc048c9fcc9d62e43eeb32f216c4177963cf1bd94ad53074b
SHA256 a286e3be694b9525530ec6a65b7 a91e04042c347 a9e440f503fe8ce995
SHA256 dbcef5c217a027b8e29b1b750c42a06650820a129543f19364bcb64ac83bc07
SHA256 8 877406e899c6274339 d1f4f087e3233c36d39fbaebb729c294899
SHA256 32753598f94412fe3dc382dcf2edf788f07814c82aeec3648362b5
SHA256 0fdc97da1c297e6f93910008fc5c47cbdcd3e2987bc163467b34f56de112ff
SHA256 501cc107e410b245d5b64ae0afdae758375b4b3724acfda44041bad9632
SHA256 31cb82cd750af6af9ecf369fd26d47dc913f6b56be6ea12b10fe6dd90ef1b5df
SHA256 da87521ecc146a92a746 1eb5b5ca28645 4c8c9af2a4b3c6c8a180d421c5
SHA256 2bcd35bfb7e4dbdbf64fce5011199947794425093be7bc74829bfeadb89f0a3
SHA256 90c3d8d13ea151bce21a1f4b842d0ed4eaff09842b23311b2326cf63957fc2b2
SHA256 257afe9f4d7b282b1c0b2f3ebb7e 6c8e0214f 0ea2b7b636a4e747d
SHA256 587840d28f2585dd5207731d7fda86a0966c82fa592a26f9148b2de45526db555.
SHA256 80ee20c604d5d4b51a30dc21d271651f3c085c40281e3ff3e2ee0175d2ca98d
SHA256 11b4519b76957b075838 e19c5e15d8744f7974716642aeb586c615dde38fa
SHA256 6c34cca35d98e464c2f74abd9be670c7f8f707f37cd3f0fd4746c49f8fcf6b07
SHA256 a3f413a8989bb89599dfc2404f7d34dfbb2e3ce26e900d228e9e8c8908b8
SHA256 c57fa2a5d1a65a687f309f23cfc6721d382b06cf894ee5cd01931bc17a46
SHA256 9f27a826b4b873c9ea23e023f54d5291a50004d67dd5fe64d c8e8b51b74e3
SHA256 2037c7cc809ed3eddd1338d2bec6266cdb449dbf8ff3510fd360a08d229d4f40
SHA256 8f91d27d3a59c08ab4c453b2679f4620696ba67c56280a4c3757368acb20aad3
SHA256 e8221acccdb8381b5da25a1f61f49da86b861b52fafe54629396ed1e3346282
SHA256 dc66811ce189240c510733be9e1a2175079dddb80ebf02faaa044fce1f7134d0
SHA256 5b7db5046ba22a6242d5ff6e8f538ad43bba53810117d5eb8f023215aad26e6b
SHA256 f68794301df789082452c1c4ffa29e857d247886e421df6da5fb3d81ca5e
SHA256 4a272dd4a5c62683d676875054dd4a4ea11620f16c5553fcfd2c44861
SHA256 cc2507ddd53a6f00265f3be51d7217def786914bd1d700ec3c74a2a7107b3476
SHA256 9e4cb963e509fbde6de003a81a3e19cfc703be1c41d20f4b094a0fa89d6ad02c
SHA256 b14d70827d5d668aeb34be512fea9fb38ead8ec12cdf7617616801c76b6e9
SHA256 49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3
SHA256 4c9e35f3d5d55dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb
SHA256 acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617f76f2e87f
SHA256 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d2902732
SHA256 c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd
SHA256 c322d10ef3a532d4625f1c2589eae0f723208db37a7c7e81e4f07e36c3a537e
SHA256 3c756d76 9a0ea1216e2b7e57250ac76a80d5fe4f072e3b4b372e609ece74e
SHA256 2a42f500d019a64970e1c63d48eefa27727f80fe0a5b13625e0e72a6ec98b968
SHA256 679a8519519587909f655bacea438168cb4c034aede9913d9a3a637c55a0eae7
SHA256 e9766b6129d9e1d59b92c4313d704e8cdcb38905021efcac334cdd451e617
SHA256 80392be21245128e3353eec7f499bdc5550e67501eceebf21985644d146768
SHA256 215c72df44fe8e564d24f4d9930c27409e7f76e2045c67940cdcdbd3b04f
SHA256 9e12094c15f59d68ad17e5ed42ebbb85e5b41f4258823b7b5c7472bdff21e6cee
SHA256 8a36229b878bae15985c1ae0ff96e42f36359323f205e18431d780a3b
SHA256 e9621840e1bfaf16ea37e2dd1f0032158a09e638eaebff6d8626d47c95a
SHA256 c51658ed15a09e9d8759c9fbf24665d6f0101a19a2a147e06d58571d05266d0a
SHA256 5187c9a84f5e69ba4b08538c3f5e7432e7b45ac84dec456ea07325ff5e94319a
SHA256 ddb24e0a38ba9194fe299e351e54facb2cca9e6011db2f5242210284df900
SHA256 69724a9bd8033bd16647bc9aea41d5fe9fb7a83c5d6fbb439d21b7b9f53f6
SHA256 d7f15f750cceeb9e28e412f278949f183f98aeb65fe99731b234 f1c008465
SHA256 238fa49ed966cb746bffee3e7ca95b4a9db3bb 97b8fd8ae56 080749a82
SHA256 69724a9bd8033bd16647bc9aea41d5fe9fb7a83c5d6fbb439d21b7b9f53f6
SHA256 f92fecc6e4656652d6d1e63f29de8bfc09ea6537cf2c4d01579dc909ba0113
SHA256 5b12f8d817b5f98eb51ef675d5f31d3d1e34bf06befba424f08a5b28ce98d45a
SHA256 3b701eac4e3a73aec10912 7102c17edf88a20d1883d5eef6db60d52b8d92d
SHA256 49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3
SHA256 acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617f76f2e87f
SHA256 4c9e35f3d5d55dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb
URL ADDRESS https[:]// drive[…live[…com/download? cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21171&authkey=AMI1YV6jNxclaec
URL ADDRESS http[:]//Pope origin[…]pw
URL ADDRESS http[:]//dewakartu[.]info/wp inclusive/BRVMFYvIR/
URL ADDRESS http[:]//drhuzaifa[.]com/wp-including/2i48k7-evv28gw-205510/
URL ADDRESS http[:]//dewarejeki[.] info/wp inclusive/up58jauc-pum2w-630352/
URL ADDRESS http[:]//rasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/
URL ADDRESS http[:]// easy to forget[.]com/xfxvqq/UxbKAbm/
URL ADDRESS https[:] //cloudy security[:] ggpht[:] ml
URL ADDRESS http[:]//secure[.]zenithglobalplc[.]com/assets/plugins/bootstrap-wizard/system_x64[.]exe
URL ADDRESS http[:]//motivation[…]adjacent[…]site/01/index[…]php
URL ADDRESS https[:]// drive[…]live[…]com/download? cid=265DAF943BE0D06F&resid=


URL ADDRESS http[:]//tailuong[.]com[.]vn/[.]xxx/playbook/onelove/english[.]php
URL ADDRESS https[:]//wwwwwwww[… onetimeroma[…]com/lost/rockstar[…] php
URL ADDRESS https[:]//www[.] chapeauartgallery[.]com/support/local[.] php
URL ADDRESS http[:]//www[.] discussionhoops[.]com/DISQUS[.] php
URL ADDRESS https[:] //chomyflozy[:] duckdns[:] org
URL ADDRESS http[:]//www[…]slacktracks[…]info/e12/?LJfxZ=hO3hBkxu1F/QQQQQQoVtLv3IhDwCcknmtRcJonnhtJ3R0BM0GC3rHSS1kgq0DEskVYHjDJX+/Q=&Vp8h=cz7tTz9p-90h4gt
URL ADDRESS http[:]//www[…]webfeatusa[…]net/e12/?LJfxZ=1CbYOqydIT7 XPNsNZ3X3NgDEVQnw/rRrz+k+vF8uL+qJ4J3WKysbsjxdZCzgGrC1+w==&Vp8h=cz7tTz9p90h4gt&sql=1.
URL ADDRESS http[:]//www[…]makeupprimerspray[…]com/e12/?LJfxZ=NSQopDdawCOOQSyQXUSgSx+w/7t91r6e8z0AUnmVGKAxI+P615MDhQgbvUIoIJuh35rtRQ==&Vp8h=cz7tTz9p90h4gt&sql=1
URL ADDRESS http[:]//mercado sunday[.]com[.]br/sK2vbV3
URL ADDRESS https[:]//corona virus card[.]net/map[.] jar
URL ADDRESS http[:] //coronavirus map[.] com
URL ADDRESS http[:]//arinnnnnnn[…]ddns[…] net
URL ADDRESS http[:]//tailuong[.]com[.]vn/[.]xxx/playbook/onelove/english[.]php
URL ADDRESS http[:]//bralibuda[.]com/4/forum.php
URL ADDRESS http[:]//greferezud[.]com/4/forum[.]php
URL ADDRESS http[:]//deraelous[.]com/4/forum[.]php
URL ADDRESS http[:]//bslines[.]xyz/copy/fi/fre[.]php
URL ADDRESS http[:]//dewakartu[.]info/wp inclusive/BRVMFYvIR/
URL ADDRESS http[:]//dewarejeki[.] info/wp inclusive/up58jauc-pum2w-630352/
URL ADDRESS https[:]//healing-yui223[.]com/cgi-sys/page suspendue[.]cgi
URL ADDRESS http[:]//109[:]236[:]109[:]159/vnx8v
URL ADDRESS http[:]//www[…]drhuzaifa[…]com/wp-including/2i48k7-evvv28gw-205510/
URL ADDRESS http[:]//85[…]96[…]49[…]152/6oU9ipBIjTSU1
URL ADDRESS https[:]// Town and country planning[.]com[.]au/cdcgov/files/
URL ADDRESS http[:]//198[:]23[:]200[:]241/~ power13/.xoiaspxo/en.php
URL ADDRESS http[:] //helpvan[:] su/
URL ADDRESS http[:]//erasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/
URL ADDRESS https[:]//share[.]dmca[.]gripe/jUuuuuWPW6ONwL1Wkux[.] bin
URL ADDRESS https[:]//gocycle[.]com[.]au/cdcgov/files/
URL ADDRESS https[:]//onthefx[.]com/cd[.]php
URL ADDRESS http[:]//186[:]10[:]98[:]177/faHtH2y
URL ADDRESS http[:]//dewakartu[.]info/wp inclusive/BRVMFYvIR/
URL ADDRESS http[:]//drhuzaifa[.]com/wp-including/2i48k7-evv28gw-205510/
URL ADDRESS http[:]//dewarejeki[.] info/wp inclusive/up58jauc-pum2w-630352/
URL ADDRESS http[:]//erasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/
URL ADDRESS http[:]// easy to forget[.]com/xfxvq/UXbKAbm/
URL ADDRESS http[:]//dw[.] adyboh[.] com
URL ADDRESS http[:] //wy[:] adyboh[:] adyboh[:] com
URL ADDRESS http[:]//feb[.] kkooppt[.] com
URL ADDRESS http[:]//update[.]my03[.] com
URL ADDRESS http[:]//chocolate[.] esvnpe[.] com
URL ADDRESS http[:]//bmy[.] hqoohoa[.] com
URL ADDRESS http[:] //bur[:] vueleslie[:] vueleslie[:] com
URL ADDRESS http[:] //wind[:] wind drops[:] com
URL ADDRESS http[:] //vahlallha[:] duckdns[:] org
URL ADDRESS http [:] //cloudy safety […] ggpht […] ml
URL ADDRESS http[:]//kbfvzoboss[.] Bid


This section contains some recommendations that we recommend you to follow. Also read the following blog, which also contains some tips for organizations where employees work remotely, and information on how McAfee Unified Cloud Edge can help you.

Software updates

As with all our publications, we encourage all our customers to keep McAfee software up-to-date. This ensures that you have the latest signatures and rules to protect you from the threats listed in this report.

We also recommend that you install the latest operating system patch, VPN patch and all other software updates on your computer. We also strongly recommend the use of SASE solutions such as McAfee Unified Cloud Edge.

Spam/phishing email

The best way to protect yourself is not to open unsolicited email, as malicious files are often spread via emails with attachments or links. To identify malicious emails, please read this blog: How do you detect phishing bait

Global Threat Assessment (GTA)

McAfee GTI uses heuristics and reputation checking of suspicious files with real-time and on-demand scanning that can provide near real-time protection. The following article in the KB contains the steps to follow to change the sensitivity level of ERTs on McAfee products.

You can adjust the sensitivity level that McAfee GTI uses when it detects whether the detected sample is malignant. The sensitivity level of the McAfee IWM is set to the average by default. Adjust the sensitivity level of each scanner in the On-Access and On-Demand scan settings.

Sensitivity level :

  • Very low – High detection accuracy. Less aggressive GTI body, also the least exposed to FP.
  • Low – This parameter is the minimum recommendation for high safety systems.
  • Medium – default setting for most products.
  • High – Use this setting for use in regularly infected systems or areas.
  • The very high is the most aggressive. With this level of detection it is considered malignant, but it has not yet been fully tested. McAfee recommends using this level for systems that require the highest level of protection, but can also lead to a higher percentage of false positives.

End point protector (ENS)

ENS is our security product for access points and offers a wide range of standard security, self-help and detection functions.

Rules for experts

Expert rules are text-based user rules that can be included in ENS threat prevention policy 10.5.3 and above.

Expert rules provide additional parameters and much more flexibility than custom rules that can be created in an access protection policy. It also allows the system manager to manage/control the final system at a very detailed level. This is a very useful toolkit for administrators and the SOC that allows you to quickly create and implement powerful extensions to detect and protect capabilities. You can authoritize and block processes, files, memory injection, module loading and unloading, etc. in an authoritative manner.

We recommend that you read the following blog, which explains how to apply the rules of the consultants and contains some good examples that help to block potentially harmful activities.

Here are some examples of quick expert rules you can formulate for your terminal against Covid-19 threats

Example line – 1

The following rule allows you to block archived executable files with coron names accessible from archived email attachments

Rule {

Process {

Activate OBJECT_NAME { -v **. }


Target {

Matching process



Activate – Create access




Example line – 2

The following line allows you to block a document called COVID that contains macros that can be accessed via email attachments or downloaded locations

Rule {

Process {

Activate OBJECT_NAME { -v **winword.exe }

Activate PROCESS_CMD_LINE { -v **corona**. }

Activate PROCESS_CMD_LINE { -v **covid**. }


Target {


Activate OBJECT_NAME { -v **\vbe7.dll. }

Activate OBJECT_NAME { -v **\vbe7intl.dll }.




Example line – 3

The following expert rule prevents certain versions of the Foobar communication software from working.

Rule {

Process {

Activate OBJECT_NAME { -v **. }


Target {

Matching process

Activate the description { -v FooBar Communications }.

Turn on the VERSION { -in 4.5,** }.

Activate – Create access




The Expert Advisor rules are flexible, so that the NCS analyst/author can only test the rules in the reporting mode and then check for possible errors in the environment. Finally, they can be activated in lock mode.

ITC rules

The ITC rules are published every two weeks and are aimed at suspicious process chains and command line threats. They also detect suspicious files based on their location or performance. We recommend that you enable multiple evaluations or HighOn rules of the JTI Advanced Threat Protection rule. You can enable these default rules in the EPA console.

  • Protection against suspicious command line parameters when a malicious program calls PowerShell with command line parameters for malicious actions You can identify this line in the EPA console with the line identifier 262.
    • Rule:262 – Determine whether suspicious command parameters have been executed to assign a group of security rules
  • Protection against malware running suspicious command line scripting applications such as WScript, CScript and PowerShell. You can identify this line in the EPA console with the Rule 320 identifier.
    • Rule:320 – Never allow cmd.exe to execute other script interpreters such as CScript or PowerShell by default, only when assigning security rule groups.
  • Protects against files running from non-standard locations, such as fonts or Windows sources. This rule also protects spawning wmiprvse.exe from suspicious processes such as foobar.exe, etc. This line can be identified in the EPA console with the line designation 238.
    • Article 238 – Detection of abuse of the normal procedure for non-standardised sites.

The rules for fortnightly ICTs are usually published in Evaluate or HighOn parameters. We recommend that EPA administrators review the product release notes and include rules that are appropriate for their environment.

Activate AMSI

By default, AMSI is set to Monitor mode. We recommend switching to the blocking mode because it detects the vast majority of threats, which are often based on emails from these JavaScript downloaders.

Read this blog to learn more about AMSI and the threats it can detect.

Detection of suspicious e-mail attachments

As you can see in this report, email remains the most important vector for attackers.  McAfee’s end products use a combination of features and content to improve agility.  In McAfee Endpoint Security (ENS) 10.5 and later, this protection is enabled by the Detect Suspicious Attachments option and is supported by DAT content.  This feature goes beyond the level of protection offered by email clients, blocking not only applications and scripts, but also different types of threats in their original form, as well as threats that are compressed and included in archives and other formats.

To find out how to activate this feature, please read this blog: McAfee protects against suspicious attachments.

ATP (Adaptive Threat Protection)

McAfee Adaptive Threat Protection (ATP) uses machine learning with our Real Protection module. This enables pre- and post-execution threat monitoring using locally deployed ML models in the cloud. In addition, ATP provides an additional layer of protection with advanced threat analysis rules based on static and behavioural characteristics.

We recommend that you at least enable Real Protect in the default settings. The ATF rules come in three forms: Spleen, Defaulton and Hyon.

  • McAfee tests the assessment rules in the field to determine whether they are reliable enough to detect malicious activity. You do not lock by default, but record the activity in the ATP log. These rules can be released for blocking by the administrators via the EPO. McAfee researchers regularly monitor compliance with these rules and make changes to promote them as DefaultOn (default) or HighOn (assigned security rule). Before manually activating the blocking mode, it is recommended to check the triggers using ATP protocols to make sure they are suitable for your environment.
  • The DefaultOn rules are high security rules that block the ATP and MVISION terminals of the ENS standard. They may be deactivated at the request of the EPO administrators.
  • HighOn rules define behaviour which is known to be malicious, but which may to some extent overlap with malicious applications. These rules work as the evaluation in the equilibrium position, but work as the error in the safe position. It is recommended that administrators use this default setting for monitoring and blocking in case of high levels of malicious activity.

For more information about the description of the rules, the location and the security settings, see the KB article:

Edge of a single cloud

Get an architectural solution to protect against Secure Access Service Edge (SASE) web threats, such as McAfee’s Unified Cloud Edge. This makes it possible to secure web traffic, traffic sent via cloud links, anytime and anywhere (e.g. in WFH scripts), whether you are in a VPN or directly connected to the Internet. For example, even if you open a link from a malicious email address or visit an enemy site in a non-VPN environment, you will still use our ERM and cloud threats to protect you from malicious websites and downloads. Unified Cloud Edge can expand your URL protection capabilities as follows:

  1. Malicious URLs – blocked via GTI and URLs
  2. Block all downloads from a benign URL (example: – it is possible to block all downloads using the tenant’s restrictions. For example: the onedrive company is allowed, personal companies ( or others are blocked.
  3. Malicious booting – blocked by cloud filegateway systems, including AV, GAM and GTI.
  4. Malicious third party download (placing a payload in an Onedrive public offering) – blocks the same AV/GAM/GTI analysis steps by API parsing of authorized business services.

MVISION Unified Cloud Edge protects your data from devices in the cloud and prevents cloud threats that are invisible on your corporate network. This creates a secure environment for the delivery of cloud services, enables access to the cloud from any device and maximizes employee productivity.


As you can see in this report, several threats are making use of this pandemic. We will continue to enable our customers to use our references to stay safe in these difficult times. Be especially vigilant on the internet and stay safe and healthy!

Because we constantly provide advice based on current data, we recommend that you read McAfee’s blogs regularly to stay informed about threats and protection information.

x3Cimg height=1 width=1 style=display:no src= />x3C/noscript>’) ;what is malware,what is ransomware,due to covid 19 pandemic

More Stories
APT Group focuses on high-profile networks in Central Asia Security