BlueTea Action

The BlueTea Action Trojan is a threat that is being distributed via bogus emails, which are Coronavirus-themed. With the outbreak of the COVID-19 pandemic, more and more cyber crooks are using it to propagate online tactics or threatening software.

The BlueTea Action threat is being spread with the help of fraudulent emails that claim to contain the truth about the Coronavirus pandemic. Often, the fake emails are titled ‘The Truth of COVID-19,’ which is a name likely to attract the attention of curious users. The dodgy emails would contain a corrupted attachment in the shape of an ‘.rtf’ document. If the users try to review the document, they will be asked to click on ‘Enable Content’ to view the contents of the file. Users who comply and click on the ‘Enable Content’ button will allow the dodgy file to execute a corrupted macro script that takes advantage of a Microsoft Office exploit known as CVE-2017-8570.

Once the BlueTea Action threat manages to compromise the targeted host successfully, it will gain persistence on the system by using the Windows Scheduled Task service. In the next step of the attack, the BlueTea Action Trojan will establish a connection with the C&C (Command & Control) server of the attackers. The BlueTea Action malware is able to propagate itself by hijacking the victim’s email contact list and sending phishing emails to every contact present. The BlueTea Action Trojan operates rather stealthy, and users whose systems have been infected may not notice anything out of the ordinary for a long period. The BlueTea Action malware will allow the attackers to:

• Collect information from the infected system.
• Take over the running processes on the system.
• Inject additional threats on the compromised host.

360 BaiZe Labs recently intercepted a new virus module sent out by the Drive the Life Series Trojan. The sample was analyzed and found to be a kind of malware worm that manipulates email accounts. The virus causes affected email accounts to send out phishing emails related to coronavirus to contacts saved on the account.

The virus spreads through these emails, which is why it continues to spread. The original victim was likely tricked through a phishing email playing on their fears of COVID-19. The email claimed to have the truth about the disease, or something similar and included an RTF attachment. Once someone opens that attachment, it exploits the CVE-2017-8570 vulnerability to infect their computer and continue the spread.

The compromised RTF file on the email contains code with several obfuscations to trick antivirus software. The virus creates several automated tasks in order to hide what it is really doing. One of those tasks, called “Bluetea,” is the primary operating task of the virus.

The creator behind the trojan gave it the name “Bluetea,” so BaiZe Labs chose to call it “BlueTea Action.”

The Drive the Life Series of trojans has gone through a number of changes since first being introduced. The way that the trojan spreads, how it obfuscates itself, and the profit modules have all changed and evolved. What began with eternal blue loopholes became weak password blasting and has now become email worms. The team behind the virus is continually finding new ways to exploit users and spread their virus, but a good antivirus program can help keep these issues at bay. Don’t forget to check the source of emails before opening them, too, as a little bit of vigilance can save you a lot of trouble with email worms like this.

It is best to use an updated anti-malware solution to protect your computer and your data. Furthermore, make sure you update all your applications regularly to minimize the risk of a cyber-attack.