Health News
, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus …, Wholesale: Personal Protective Equipment Store

Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus …

At Sentinel Labs, we have been closely tracking adversarial behavior as it pertains to COVID-19/Coronavirus. To date, we have observed a significant number of malware campaigns, spam campaigns, and outright scams that are preying on the fears and uncertainties of the global population.

Updates are tagged in-line with respective dates within each section of this post.

April 2020

[April 14, 2020] In mid-April, we observed a short-lived COVID-themed ransomware attack.  Spam email messages, containing COVID-themed malicious word documents were used to drop a ransomware payload based on HiddenTear (open source ransomware)

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus …, Wholesale: Personal Protective Equipment Store

Once opened, the document drops the ransomware into ~\AppData\Local\ and executes it.  When executed the ransomware attempts to contact the C2 server for additional components (desktop image) and communicates data on the victim host.  Encrypted files are renamed with a “.locked20” extension.

\, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus …, Wholesale: Personal Protective Equipment Store

[April 14, 2020] HiddenTear is a long-standing open source ransomware framework.  SentinelOne Endpoint Protection detects and prevents all malicious activities associated with this threat.

[April 14, 2020] In early April, several Android-focused campaigns were observed spreading the Anubis and Cerberus banking trojans to victims seeking additional information on Coronavirus in their area.  Many were specifically targeted towards users in Italy and China.  The malicious apps claim to track and inform users of COVID-specific updates for their region (a very common lure).  Often times, the data in the app will be legitimate (redirection) but the app will request permissions beyond what is needed or required, allowing it to exfiltrate personal data to the remote location of their choice.

[April 14, 2020] In late March, a wide-spread phishing campaign was observed using COVID-themed email messages masquerading as notifications from the “Department of Health”. The email messages contained a malicious link which leads victims to a page designed to harvest Outlook/Office credentials.  Email sender and subject examples are below:

  • Sender: “Department of Health” <department[.]health-pandemic[@]zacks[.]com> 
  • Subject: “HIGH ALERT: COVID-19 cases surpassed 300,000 globally”.

[April 14, 2020] Fake charity and donation scams have become more and more frequent since the onset of the pandemic.  Criminals are constantly pivoting though COVID-themed lures while preying on the fear and uncertainty looming over the population.  An example of one such scam (“Lina Charity Foundation”) can be seen below.  These messages are distributed en masse.  In the example below, we have removed the supplied banking details.  The groups behind these do often include these details (Bank name, Address, Swift codes, IBAN numbers) in order to enable their victims to complete the fraudulent donations / transfers.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

[April 14, 2020] Throughout late March/early April, multiple COVID-themed Ursnif campaigns were observed.   Traditionally, Ursnif is utilized for information theft and data exfiltration. This includes credential harvesting, banking information and similar. Malicious messages arrive with malicious Word documents.  When opened (and macros run) the documents will execute scripts to pull additional components from a removed server.  Through multiple stages of obfuscated JavaScript, VBS scripts and/or PowerShell, the final Ursnif payload is written to the victim host.

[April 6, 2020] In early-to-mid-March 2020, Redline Stealer was distributed via a spam campaign using Coronavirus-themed lures.  Victims were enticed into downloading and installing a trojanized version of the “Folding@home” client software.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

[April 6, 2020] When choosing to download the malicious software, users are presented with the trojanized “foldingathomeapp.exe” executable.  Redline Stealer is a well-known commodity malware which can pilfer browser information, credential sets, as well as user and system information.

Throughout March 2020, the Qbot banking trojan was distributed via aggressive spam campaigns.  Victims are enticed via messages which claim to link to refreshed PPE supplies (ex: masks & gloves).  When following the malicious links, users are led to the Qbot trojan in either EXE or ZIP archive form.

[April 6, 2020] Attackers have been leveraging the United States Stimulus Relief package to entice users into following malicious links which ultimately lead to leakage of personal data in multiple forms.  We have observed email and SMS-based campaigns which offer updated information around the stimulus bill, or promise short term loans with the victims expected stimulus to be used as collateral.

These attacks are ongoing and we encourage users to be extra cautious when interacting with COVID-related emails and SMS/TXT messages.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

[Update April 1, 2020] On April 1st, a new, multifaceted, malware emerged which leverages the Coronavirus in an attempt to target the emotions of their victims.  When executed, the dropper will deposit numerous scripts and dependent files. The threat then proceeds to make a number of configuration changes which negatively affect the security posture of the infected host.  The infection routine requires a reboot due to the changes to UAC. After reboot, additional payloads are executed, resulting in the display of an image of the Coronavirus adorned with additional messages following the theme.

In some scenarios, an additional payload will execute which is responsible for overwriting the machine’s MBR (Master Boot Record). The user is then presented with a simple message on a dull grey background, with their access to local data restricted.

Note: SentinelOne Endpoint detects and prevents all artifacts and behaviors associated with Wiper.coronavirus

March 2020

Malware authors are continuing to utilize COVID/Coronavirus as a lure.  We have seen ongoing activity from the malware families outlined in this original post, including AdWind, LokiBot, NetSupport RAT, Tesla Keylogger, and Kpot.  We have also observed additional malware families joining in on the exploitation of fear around COVID-19.

[March 31, 2020] Coronavirus-themed email messages are used to spread the Hawkeye trojan.  Hawkeye is a long-standing credential stealing trojan. In recent campaigns users are targeted via spam messages claiming a “cure” in China and Italy (ex: CORONA VIRUS CURE FOR CHINA, ITALY)

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

[March 31, 2020] Actors behind the Metamorfo (Casbaneiro) trojan launched a COVID-19-themed spam campaign to spread their malware.  Similar to other uses of this lure, victims are enticed to follow a malicious link to receive “more or updated information” on COVID-19 in their region.  The malicious links lead to a malicious MSI installer which downloads additional malware and establishes persistent C2 communications.

[March 31, 2020] Coronavirus-themed email campaign used to spread the Nanocore trojan.  Victims are enticed with misinformation tied to an update on COVID-19 vaccines. Malicious downloads are named following this theme (ex: “Covid-19 Vaccine.gz”)

[March 31, 2020] Late in March, we observed the Sphinx banking trojan, which is largely based on leaked source code for Zeus, began to aggressively spread via email with COVID-themed messages.   In some observed cases victims were enticed to complete a form related to receiving government assistance during the outbreak. The malicious document then proceeds to drop and execute a VBS script.  This script establishes C2 communication channels, and downloads additional executable payloads. Beyond the COVID-themed lures, the functionally is largely unchanged with regards to data inception via web injects.

In mid-March 2020, a new family of Android ransomware, CovidLock, began targeting users via malicious app (APK) downloads. The malicious apps were hosted on sites masquerading as hosts for valid real-time information tracking apps. Upon infection, the ransomware tricks users into providing full device control via misleading permissions request dialogs. The malware sets itself to load upon device startup and leads to a lock-screen style ransom request. This specific family utilizes Pastebin to aid in the construction of the displayed ransom notes.

In early March 2020, the APT group Mustang Panda (China) utilized multiple spam campaigns to deliver implants. Spam messages made use of multiple COVID-19-themed lures. Malicious documents were used to execute additional scripts, and leverage subsequent LOTL tactics to retrieve and launch payloads.

In mid-March 2020, we observed multiple websites hosting fake versions of WiseCleaner utilities. These sites were used to distribute the Kpot Infostealer trojan, along with a new ransomware family dubbed “CoronaVirus”. From the fake WiseCleaner-themed sites, a malicious version of “WSHSetup.exe” was used to download both the CoronaVirus ransomware along with Kpot Infostealer. Once-infected, a customized ransom message is displayed at boot, prior to the loading of Windows. Victims are instructed to email attackers, as opposed to interacting with them via a payment portal site.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

The Kpot Infostealer trojan is coupled with the ransomware in order to harvest cryptocurrency wallets, browser data and credential sets. The requested ransom is typically ~$50.00 USD.

In mid-March, NetWalker ransomware campaigns were observed attacking multiple targets classified under Health and Human Services offices (ex: the Illinois Champaign-Urbana Public Health District).  The malware was delivered via email with malicious VBS attachments.  Upon launch, the malware proceeds to encrypt targeted file types as well as disabling known anti-virus products (if found).

February 2020

In early February 2020, multiple COVID-19/Coronavirus-themed phishing campaigns were tracked, targeting primarily the shipping and logistics industry. The phishing campaigns were used to spread the AZORult trojan to high-value targets in the shipping sector. Some message samples contained malicious Microsoft Office documents designed to exploit CVE-2017-11882. CVE-2017-11882 is a memory corruption vulnerability in Equation Editor. Successful exploitation allows for the execution of arbitrary code across affected versions of Microsoft Office.

In early February 2020, a massive COVID-19/Coronavirus-themed phishing campaign targeted large swaths of Office 365 users. The motive behind these campaigns was basic credential harvesting. Victims were urged to open malicious attachments which were disguised as updates on COVID-19 patterns in their local areas. Most observed samples masquerading as updates from the “Centers for Disease Control and Prevention”. Attackers took advantage of ‘look-a-like’ domains for added authenticity (ex: cdc-gov[.]org)

In early February 2020, we tracked COVID-19/Coronavirus-themed spam campaigns spreading LokiBot, specifically targeting Chinese entities. Spam messages were seen masquerading as updates from the ‘Ministry of Health in the People’s Republic of China’. Messages were written in English but appear to have been written by a non-native English speaker. The LokiBot malware was distributed in these messages in the form of RAR archives (with .arj extensions).

In mid-February 2020, multiple malicious websites were constructed to deliver the Grandoreio banking trojan. Multiple weaponized sites were utilized, primarily targeting users in Mexico, Spain, and Brazil. The sites utilized a ‘video player’ download-style lure to entice victims into executing the Grandoreio payloads.

In mid-February, the “Corona Virus Map Phishing Kit” was advertised for sale in various underground forums. The kit ranged in price from $200 USD to $700 USD. Buyers are able to customize the kit to embed their own payloads or force a redirection (upon execution of the trojanized map EXE) to remote payloads. The malicious map executable masquerades as legitimate map data from Johns Hopkins University.  Indeed a picture (in this case an interactive map) is worth a thousand words, with attackers offering up the ability to load payloads to victims that visit this nefarious coronavirus spread map:

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

In late February 2020, we observed COVID-19/Coronavirus-themed spam campaigns targeting users in the Ukraine. Spam messages are disguised as updates from the ‘Center for Public Health of the Ministry of Health of Ukraine’. The messages claim to contain updated information for the public pertaining to COVID-19/Coronavirus. Initial waves of the campaign were used to distribute various dropper and downloader trojans.

In late February 2020, COVID-19/Coronavirus-themed spam emails were used to distribute the Tesla Keylogger. Spam messages were constructed via a customized phishing kit. Observed samples are disguised as updates from ‘The Centers for Disease Control’. Victims are enticed into following malicious links in order to access informational “updates for their area”.

In late February 2020, we observed a spam campaign targeting South Korean entities. The spam campaigns were used to distribute BabyShark implants, often associated with the cyber operations of North Korea. Malicious attachments were disguised as official updates on South Korea’s response to COVID-19.

In late February 2020, multiple spam campaigns were observed distributing the FormBook. malware. Messages were disguised as updates from FedEx on their current plans for dealing with issues and delays around COVID-19.

In late February 2020, Trickbot campaigns were tracked, primarily targeting Italian entities. Spam messages were constructed with a customized phishing kit, and redirected victims to Trickbot payloads.

January 2020

In late January 2020, we observed Coronavirus-themed Emotet spam campaigns, primarily targeting Japanese entities. Message templates for the spam runs were updated frequently (as is normal with Emotet). That being said, most messages masquerade as “urgent notifications which urge the victims to open malicious email attachments. The malicious attachments are disguised as updated information briefings on COVID-19 patients in their particular region.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

Update (Friday, March 27th)

Covid themed campaigns have started to slow this week, while criminals were quick to capitalize on the news heavy topic of ‘Covid-19’ for their campaigns we suspect this slow down will continue due in part to the current situation where many countries, cities, and provinces have started to order “stay at home” or “shelter in place” orders. These orders could impact local governments and businesses in a way that will slow down a criminal’s ability to move money. We are still following to see what the effect will be on the underground economy as the global economy becomes more turbulent.

This is a concerning time for our industry and the public at large. We are in the midst of a global health crisis. In such times, we all need to be working together and ensuring that everyone has the most accurate and reliable data. We all want assurance that we can trust the resources available to us. Anything counter to that is destructive and potentially harmful to society. However, we all know that cybercriminals and sophisticated adversaries seize opportunities like this to further their own cause. This not only leads to the usual barrage of complications inherent to any cyber attack or event, but in this case it can translate to real harm to those we love and protect.

Domain Registration and Squatting

From the onset of the SARS-CoV-2 virus’s spread, opportunistic cyber-criminals have taken to proactively registering relevant domain names for malicious use. According to data from Recorded Future, “Beginning on January 12, the number of domain registrations started to increase, with an additional large spike on February 12”.

While domain registration alone is not proof of ill-intent, it is a reminder that we need to be extra cautious when interacting with “COVID” and “Coronavirus” related domains.

To provide some context, consider the following data:

Registered domains including “coronavirus” in the last 7 days = 5762

Registered domains including “covid” in the last 7 days = 6155

Registered domains including “covid-19” in the last 7 days = 934

Registered domains including “covid19” in the last 7 days = 3098

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

Src: DN Pedia

In the more scam-centric realm, registered domains including “coronacure” in the last 7 days = 934.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

Src: DN Pedia

Some of these domains claim to offer medical supplies at exorbitant prices; would-be buyers pay up-front and take their chances as to whether they will ever see a delivery.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

It is important to note that these numbers do not account for typo-squatting or subtly-varied names (homographic attacks), or numerical-replacement variants (aka ‘hackerese).

Emergence of Blatant Scams

Multiple dark web (.onion) sites claim to sell COVID-19/Coronavirus supplies (masks, sanitization and cleaning supplies) directly for BTC (bitcoin). These are outright scams, which just collect BTC and deliver nothing to their victims. To add insult to injury, we have also seen sites reporting to sell non-existent vaccines, charging $5000.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

Scammy COVID-19 supply sellers

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

Infrastructure & Misinformation Attacks

On Monday, March 16 an attempted DDoS attack was carried out against the US Health and Human Services Department. While the HHS infrastructure remained “fully operational” there was a perceived strain on the targeted systems given the increased activity. The attack comes at a critical time given the current influx of requests to their site (and services) seeking information and updates around protection against COVID-19. In this situation, the HHS was prepared. According to an HHS spokesman, “while preparing and responding to COVID-19, HHS put extra protections in place”. 

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

In addition to the DDoS attempt on HHS, we have seen a flurry of social media campaigns specifically crafted to spread misinformation, and increase paranoia around the Coronavirus pandemic. There appear to be multiple, ongoing misinformation campaigns across all social media platforms (ex: Twitter, Facebook, Telegram). 

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

For this reason, we all need to be extra careful and ultra-discerning. The NSC has been quick to alert on and clarify most of these attempts, but again they are ongoing. It is recommended that the public continually monitor the NSC (and other official outlets) for accurate data and updates, as well as alerts on misinformation campaigns.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

Supply & Lockdown Effects on the Criminal Element

Cyber criminals can be affected by the societal impacts of COVID-19 as well. Perhaps as a ‘positive’ side-effect, some underground vendors are having to cease operations due to increased risk or limited supplies.

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

, Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus &#8230;, Wholesale: Personal Protective Equipment Store

Conclusion

The psychology of fear, uncertainty, and doubt is a powerful weapon. Criminals have become more advanced in their understanding of manipulating human emotion to achieve a targeted action. Social engineering is based on the premise that I can get a victim to take action the victim believes to be trusted, but which is actually malicious, using manipulation, influence, and deceit. It can also be based on downright intimidation, authority, and extortion. The net result is a victim taking actions they otherwise never would have in the absence of social engineering.

Nation-state actors have long relied upon social engineering to achieve targeted goals for espionage, system compromise, election influence, and social media manipulation.

While this is still very much a ‘living’ situation, Sentinel Labs has already observed the ability for enterprising cybercriminals to capitalize on the fear and uncertainty of the general public. As is the case with any large and newsworthy event, our adversaries have no scruples when it comes to social engineering and malware distribution. Nothing is out of bounds, and the main difference with the current climate is that the stakes are much higher. It is enough of a challenge to get accurate data and information from known-and-reputable sources. The criminal element further muddies the water and makes our attempts to protect our loved ones (and selves) that much more of a challenge.

Resources

Sentinel Labs will be posting updates and details as they become available at https://labs.sentinelone.com/

This post draws out critical lessons we can learn from both cyber and biological threats:

The Line Between Biological & Cyber Threats Has Never Been So Thin | What Can We Learn & What Should We Do?

In addition, the US-CERT/CISA has posted a list of additional resources which can assist in avoiding COVID-19-related scams and attacks. They cover cyber-hygiene recommendations and link additional helpful resources as well:

US-CERT: Defending Against COVID-19 Cyber Scams

CISA Insights: Risk Management for Novel Coronavirus (COVID-19) (Note: PDF)

CISA Alert (AA20-099A) – COVID-19 Exploited by Malicious Cyber Actors

FBI Alert I-032020-PSAFBI SEES RISE IN FRAUD SCHEMES RELATED TO THE CORONAVIRUS (COVID-19) PANDEMIC

Indicators of Compromise

Zeus Sphinx
DFF2E1A0B80C26D413E9D4F96031019CE4567607E0231A80D0EE0EB1FCF429FE

Zeus Sphinx
3c115864cb93746b3745a119855b17442ef9415ccc2bf1531fc5a269e4714c66

Zeus Sphinx
511dab2388e7a98cc70a8e6abbfe3c47f170c9fc616941a2c05c08b1fc449ef1

Zeus Sphinx
f40d11f983151b6f0405db63a3424e5063a7294f42bdbde07f7aed5fd96f4563

Zeus Sphinx
c89c43d51eba1eb522cca6ec720f778a59638a09ea07ce10a60dd1929023a8d5

Zeus Sphinx
66fc5d683cf76c3c4b53199fc0796b7a13afba22fca8d97ef4dfd07249e5a9f1

Hawkeye
0b9e5849d3ad904d0a8532a886bd3630c4eec3a6faf0cc68658f5ee4a5e803be

Hawkeye
82f9157507edd82634feb23213b70730701b274eb65c63e9dea6d7acef154d51

Nanocore
2cf2568dad46a638b8e4d86aa46f4cd279511dba9900286e22aeaefc39189a88

Emotet
4c9e35f3d5f555dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb

Emotet
b49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3

Emotet
7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732

Emotet
acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617fef76f2e87f

Emotet
109[.]236[.]109[.]159

Emotet
85[.]96[.]49[.]152

Emotet
186[.]10[.]98[.]177

Emotet
erasmus-plius[.]tomasjs[.]com/

Emotet
easytogets[.]com/

Emotet
drhuzaifa[.]com

Emotet
dewarejeki[.]info

Emotet
dewakartu[.]info

AZORult
d2b231eb83de043acfcdf1c938c6b49e465d585fe4ce79f42add43a17aba1300

AZORult
2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307

LokiBot
198[.]23[.]200[.]241

LokiBot
198[.]23[.]200[.]241

LokiBot
906EFF4AC2F5244A59CC5E318469F2894F8CED406F1E0E48E964F90D1FF9FD88

Grandoreiro
08710023c219f26237a9c8de5454a1de17117a2da651b4391afce8e331f31dfa

Grandoreio
3bbd2beaa7953543e3cfb09d064db83b11034ff81255429b82e2de40d661ee29

Grandoreio
13[.]72[.]105[.]98

Generic Downloader/Dropper 
9aea43b22f214228caf4fc714f426c0a140b7dd70b010bf3778cd1c0ec440851

NetWalker
9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967

RedLine Stealer
0ddd7d646dfb1a2220c5b3827c8190f7ab8d7398bbc2c612a34846a0d38fb32b

Ransom20 (COVID-Themed HiddenTear ransomware)
2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326

Anubis
dfb54d6c468271c73865d45e54b9dd942a18e716d608cf9233f1122cf79bab8c

Anubis
1de6e6c140ff1b301b7df12d4b6388a21a6fbf0f141347dd2f9289740438a6d8

Anubis
5c4a0458c581c9bc0a7729b01926cd7b1f6b5b58aaecb2f31f571d4ded7ee419

Anubis
9ebc2996f2d08258d9119e01c9b00d1b8bf01b838c54dee9a675b28b9697e38f

Anubis
0052751f0f11af674c479c2083c1f9f88a503b1189b7ebc095a38c4970b8a899

Anubis
60c957d19a81b795053b5d6e5b0372df0326c07b730718cba627f993261a6a5e

Anubis
bb27202091a065f3261e1625cbc7a0661a538b6e9aecfcb2069c71a680c61970

Cerberus
604b3cd50ef3b0df46bcb07a1d2d0fad31f517f4ef541036d9f0161d3c69499b

Cerberus
93288d18a7b43661a17f96955abb281e61df450ba2e4c7840ce9fd0e17ab8f77

Cerberus
c3096b341d6807a5a7d353f97554017a6242349b081837de60908081bcada1d0

Cerberus
2086af24ef1bd41939f4e2da8e1d17fbbd4de75d04143c758cbed133a8202d01

Cerberus
de1ffdb17ac2f8d1b02972e11b2bff0a9a2cd27be4f20d44aece5227006eba8b

Cerberus
cfcc5ed7da99eee17c7d7179e0ee3b20f2df43126277c3c6670a1943e64e788e

Cerberus
178b0878f1d485ecdb3626c8122424e818c92bab8101d2baf7be8eb0188ed5c7

Credential Harvesting
intvmdt[.]us

Credential Harvesting
whintdm[.]us

Ursnif
17c8d552a8ba063372f43b3a719eda76f6a3a2612e9a0bf329f26b4cc31579d5

Ursnif
4640edbda4a76f7baeeaad983afe8c742fa10becaa67b07e2c2effadc1711649

Ursnif
e9697d963d66792a91991e64537707a94f466421615277d91675b83a408eef93

Ursnif
e8ae0f7afaa6ce080567267759e7b9e02547b5174a9fce3f379792d499503c2f

Ursnif
a4bbf7654331415c4f7d0306066ececa014a27d706deca83bd7113ad4cd28d2e

Ursnif
f1[.]pipen[.]at

Ursnif
io[.]laurela[.]at

Ursnif
ya[.]aftnoop[.]at


Post Views:
12,986

All copyrights for this article are reserved to Corona Virus

Leave a comment

Your email address will not be published. Required fields are marked *

Tap to call MyPPE
error: Alert: Content is protected !!