Coronavirus Map- A malware infecting PCs to steal passwords
By Yash Kudal
The catastrophic spread of SARS-COV-II (virus), which causes COVID-19 (the disease), has become an opportunity for hackers to spread similar malware or launch cyber attacks.
A threat analysis report has been released on new attacks that take advantage of Internet users which includes the information about coronavirus that is causing worldwide violence.
The malware attack aims to guide those who are looking for cartographic presentations of COVID-19 spreads on the Internet, and trick them into opening and running a malicious application that, in the end, displays an officially uploaded online source but behind it compromises the computer.
New Threat with Older Part of Malware
The latest threat, designed to steal the identity of victims unknowingly, was first identified by Malware Hunter Team last week and is now being analyzed by Shai Alfasi, a cybersecurity researcher at Reason Labs.
It Includes a malware identified as AZORult, a malicious software that steals data acquired in 2016. This malware collects information stored in web browsers, especially cookies, browsing history, user IDs, passwords, and cryptocurrency keys.
With this information pulled from browsers, cybercriminals can steal credit card numbers, login credentials, and various other sensitive information.
AZORult is reportedly being discussed in Russian underground forums as a tool for collecting sensitive data from computers. It comes with a variant that was able to generate a hidden admin control account on infected computers to enable connectivity through the desktop protocol (RDP).
Alfasi provides technical information when analyzing the malware, which is attached to a file, commonly known as Corona-virus-Map.com.exe. Win32 ExE , a small file with a maximum download size of only 3.26 MB.
Double-clicking the file opens a window showing various details about the COVID-19 distribution. The central location is a “disease map” similar to that owned by Johns Hopkins University, the official online source for visualizing and tracking reported cases of coronavirus in real time.
It produces a convincing GUI that not many would suspect as malicious. The information presented is not a combination of random data, instead the actual COVID-19 information is posted on the John Hopkins website.
Note that the original coronavirus map hosted online by John Hopkins University is not infected or trojanized.
Symptoms of Infection:
Creating Corona-virus-Map.com.exe results in the creation of duplicate Corona-virus-Map.com.exe file with Corona.exe, Bin.exe, Build.exe, and Windows.Globalization.Fontgroups. exe files.
In addition, the malware changes a few registers under both ZoneMap and LanguageList.
The processes activated when implementing the malware are: Bin.exe, Windows.Globalization.Fontgroups.exe, and Corona-virus-Map.com.exe. These are attempts to link to multiple URLs.
These processes and URLs are just a sample of what it entails. Many other files and processes are generated. They create various network communication functions as malware tries to collect different types of information.
The key to uninstalling and stopping coronavirus map is to have the right Malware protection program. It will be a challenge to get it manually, let alone remove the infection without the proper software tool.
It may not be enough to be careful about downloading and using files online, as many tend to say they are great at finding information coronavirus.
The dispersion of the COVID-19 epidemic requires great care not only offline (to avoid infection) but also online. Cyber attackers are using the popularity of coronavirus-related sources on the web, and many may be victims of the attack.