The cyber criminals have taken advantage of the spread of COVID -19 diseases to spread malware or perform cyber-attacks.
The malware attack mainly targets specifically people who are looking for cartographic presentations of the spread of COVID-19 on the Internet, and tricks them to download and run a malicious application without their knowledge. The victim sees a map loaded from a legit online source on the front-end, but in the background compromises the computer.
MalwareHunterTeam has found a latest threat, designed to steal information from victims which is now being analyzed by Shai Alfasi, a cybersecurity researcher at Reason Labs.
The malware involved in it is AZORult which is an information-stealing malicious software discovered in 2016. This malware collects information stored in web browsers, particularly cookies, browsing histories, user IDs, passwords, and even cryptocurrency keys.
The cybercriminals on getting these data from browsers, can easily steal credit card numbers, login credentials, and various other sensitive information.
AZORult is considered as a tool for gathering sensitive data from computers which now comes with a variant that is capable of generating a hidden administrator account in infected computers to enable connections via the remote desktop protocol (RDP).
The malware is embedded in a file usually named as Corona-virus-Map.com.exe and it is a small Win32 EXE file with a payload size of only around 3.26 MB.
On double-clicking the file, a new window opens showing various information about the spread of COVID-19. The centerpiece is a “map of infections” similar to the one hosted by Johns Hopkins University which is a legitimate online source to visualize and track reported coronavirus cases in real-time.
Numbers of confirmed cases in different countries are presented on the left side while stats on deaths and recoveries are on the right. The window appears to be interactive, with tabs for various other related information and links to sources.
However, the information presented is actual COVID-19 information pooled from the Johns Hopkins website.
It is important to note that the original coronavirus map hosted online by Johns Hopkins University or ArcGIS is not infect or backdoored in any way and are safe to visit.
When the Corona-virus-Map.com.exe is executed, duplicates of the Corona-virus-Map.com.exe file and multiple Corona.exe, Bin.exe, Build.exe, and Windows.Globalization.Fontgroups.exe files are created.
Besides, the malware modifies registers under ZoneMap and LanguageList.
Then the malware activates the following processes: Bin.exe, Windows.Globalization.Fontgroups.exe, and Corona-virus-Map.com.exe. These attempt to connect to several URLs.
These are just samples of what the attack entails and there are many other files generated and processes initiated.
Alfasi suggests to use Reason Antivirus software as the solution to fix infected devices and prevent further attacks.
The best method to remove and stop the “coronavirus map” malware is to have the appropriate malware protection system.