You have to hand it to Cybercriminals. They is no level so low they won’t stoop to it. So, as the world grapples with coronavirus pandemic, public interest in the topic soars, then of course cybercrooks see an opportunity. A new malware attack that takes advantage of internet users' appetite for information about coronavirus has been discovered.
Since an image can say a thousand words, cybercriminals have created an enticing and clickable ‘map of coronavirus.’ Sounds informative, right? Who wouldn’t want some easy-to-digest visual info on where the virus has spread worldwide? But, if you want to see the map, users are asked to download it. That’s when a malicious application that, on its front-end, shows a map loaded from a legit online source but in the background compromises the computer.
The malware is designed to steal information such as passwords from victims PCs. It is embedded in the file, usually named as Corona-virus-Map.com.exe. It’s a small Win32 EXE file with a payload size of only around 3.26 MB.
It uses the information-stealing malicious software AZORult which was discovered in 2016. It collects information stored in web browsers, particularly cookies, browsing histories, user IDs, passwords, and even cryptocurrency keys.
Data thieves could do a lot of damage with all those digits. It would make it very easy for them to steal credit card numbers, login credentials, and plenty more sensitive information.
Double-clicking the file opens a window that shows various information about the spread of COVID-19. The centerpiece is a ‘map of infections’ like the one hosted by the reputable Johns Hopkins University. It seems like a legitimate online source to visualize and track reported coronavirus cases in real-time.
The original coronavirus map hosted online by Johns Hopkins University is not infect or backdoored in any way and are safe to visit.
This rip-off one is not safe however. Not at all. Executing the Corona-virus-Map.com.exe results in the creation of duplicates of the Corona-virus-Map.com.exe file and multiple Corona.exe, Bin.exe, Build.exe, and Windows.Globalization.Fontgroups.exe files. Execution of the malware activates several processes that attempt to connect to several URLs.
That’s only a fraction of what the attack entails. There is plenty more network communication activities that take place as the malware tries to gather different kinds of information. It makes specific calls in an attempt to steal login data from common online accounts. The malware does this by itself as soon as it is executed. It doesn’t require victims to interact with the window or input sensitive information at all.
Since the coronavirus doesn’t seem to be going anywhere anytime soon, internet users need to be extra vigilant of similar online threats popping up. This malware was discovered, but there will surely be more attempts by cybercriminals to exploit the global pandemic.