Netwalker developers target people via coronavirus scam campaign

Due to the ongoing pandemic, scammers have actively started the CORONA outbreak as the theme for their phishing campaign and malware. One of such campaign has been reported that leads the dangerous Netwalker Ransomware installation in the recipients’ device.

While the actual email was not being sent to us, the MalwareHunterTeam managed to find an attachment that leads the Netwalker installation at the end. Toll Group and the champaign Urbana Public Health District in Illionis are the two who was reported to be victimized by the attackers from this threat.

The new Netwalker or Mailto phishing campaign is using an attachment file named CORONAVIRUS_COVID-19.vbs that contains an executable and obfuscated code of the Ransomware to extract and launch it on the device.

When the script is executed, the executable saves itself to the %Temp%\qeSw.exe file and launches the encryption process on the device.

A researcher from SentinelLabs named Vitali Kremez told this version of the ransomware terminates the Fortinet endpoint protection client. On asked why the ransowmare does it, the kremez said it may be to avoid the detection.

“I suppose it might be because they have already disabled the anti-virus functionality directly from the customer admin panel; however, they do not want to trip an alarm by terminating the clients,” kremez told.

After the encryption completed, the users find a ransom note named extension –Readme.txt that contains the instructions on how to access the ransomware Tor Payment site to pay the ransom demand.

At the moment, there is no weakness known in the ransomware, meaning no official decryption tool available for the Netwalker ransomware. So, if you got infected with this malware, you have to try getting back the files using existing backup or have to re-create it.