- A malware named Coronavirus map spreading and infecting computers
- The malware poses as a legit map software providing geographical information about the pandemic
- The app plants a malware with strains from AZORult malware that steals information
- It steals credit card information, social media credentials, browser cookies and cryptocurrency
- Is either used to sell victim’s data on dark web or for carrying out financial theft
- Users advised to only check trustworthy, known, verified sources for information
As everyone can be seen in a constant state of panic about the Coronavirus, hackers can be seen taking advantage of the situation by deceiving innocent people into downloading malicious apps that pose as information providers about the global pandemic.
Recently, researchers have found a dangerous app called ‘Coronavirus Map’ that is making its way into people’s computers and depriving them of privacy and security.
Living right up to its name, the ‘Coronavirus map’ app looks like a legitimate software that tells you the location of confirmed Coronavirus cases on a global map, including the number of deaths and recoveries in real-time.
Upon analysing, cybersecurity experts have confirmed that this malware app is an information stealer that robs people of their personal, social and financial credentials
What is the ‘Coronavirus map’?
Coronavirus app is a malicious file based on the actual Coronavirus map by John Hopkins University and Medicine.
Cybersecurity researcher, Shai Alfasi, working at Reason Labs found that the fake Corona-virus-Map.com.exe has a malware embedded in it which starts the AZORult malware that is known to scoop out sensitive information from infected machines since 2016. AZORult is something that none of us should take lightly.
The malware is known to be sold on underground forums in Russia and is adept in collecting confidential data like browser cookies history, cryptocurrency and even IDs and passwords from the affected computer.
To make matters worse, another AZORult variant is known to drop a secret admin account on the victim’s device to enable the attacker to access the device remotely using RDP.
The GUI of the fake Coronavirus map app. Source: https://blog.reasonsecurity.com/
How does the ‘Coronavirus map’ malware work?
After a detailed analysis, Shai Alfasi found that:
- The ‘CoronaMap.exe’ starts a multi-sub root process when it is executed.
- Another binary file ‘Corona.exe’ is created which contains more malicious files.
- The files contained are ‘Corona.bat’ and ‘Corona.sfx.exe’.
- When Corona.bat is opened, Corona.sfx.exe is extracted to C:\windows\system32
- This extraction process leads to more processes like bin.exe, timeout.exe and build.exe
- The bin.exe writes DLL files and loads APIs that decrypt passwords that are saved in the victim’s device
- Bin.exe then searches for the presence of cryptocurrency wallets such as “Electrum” and “Ethereum”
- It also collects data like other system data and contacts the Command and Control server
- It then sends the stolen information to the attacker
- The timeout.exe is used to fool the Anti-virus by delaying execution.
- Lastly, the Build.exe creates a subprocess that looks for new browsers and resources that it can steal information from.
The malware flow. Source: https://blog.reasonsecurity.com/
How can you protect yourself from the ‘Coronavirus map’ malware?
If you have already fallen into the trap of this malicious malware, the most you can do is instantly change all your passwords and check with your bank for any suspicious transactions.
You will also need to remove the malware from your device by searching for all the files it creates and deleting them.
If you are not sure whether you are infected or not, you can check for Indicators of Compromise.
But prevention is better than cure, so make sure that you are not inviting any tom-dick-and-harry app in your device for giving you information about the virus outbreak.
In fact, since hackers are weaponizing legit apps and injecting them with malware during these panic-stricken times, it will be better to isolate your device as much as possible from anything that promises to provide you information about the Coronavirus.
What do you think about this news? Have you come across any such case recently?
Let us know your thoughts in the comments. You can also share some trusted information sources about the Coronavirus with others below.
Keep an eye out on our news section for more cybersecurity updates.
Stay tuned, stay safe.