Recently, 360 BaiZe Labs intercepted a new virus module issued by Drive the Life Series Trojan. Through sample analysis, we found that this module is a worm that can use the victim’s email account to send COVID-19 related phishing emails to the Other contacts for the account. This series of Trojans was then spread and deployed. The virus author named the latest Trojan horse task as “bluetea”, so we called this update “BlueTea Action.”
The relevant code logic for sending a phishing email is as follows:
The header of the phishing email was “The Truth of COVID-19”, and the attachment was a malicious RTF file carrying the CVE-2017-8570 vulnerability:
After the vulnerability is triggered, it will execute the following sct script:
The downloaded script is subjected to multiple obfuscations. The content after deobfuscation is as follows. The virus resides mainly by creating multiple scheduled tasks, one of that is called “bluetea.
This series of Trojans has been updated several times since its outbreak, from the way of dissemination, obfuscation, and profit modules. From the beginning of eternal blue loopholes to weak password blasting, it has now spread through email worms. The hacking gang behind it It has been continuously updated, but users do not need to worry, 360 Total Security can accurately block such Trojan horses and always protect your computer security.