Malicious coronavirus map hides AZORult info-stealing malware
Cyberattackers continue to seize on the dire need for information surrounding the novel coronavirus. In one of the latest examples, adversaries have created a weaponized coronavirus map app that infects victims with a variant of the information-stealing AZORult malware.
The malicious online map, found at www.Corona-Virus-Map[.]com, appears very polished and convincing, showing an image of the world that depicts viral outbreaks with red dots of various sizes, depending on the number of infections. The map appears to offer a tally of confirmed cases, total deaths and total recoveries, by country, and cites Johns Hopkins University’s Center for Systems Science and Engineering as its supposed data source.
There is a genuine, safe version of the Johns Hopkins coronavirus map. It requires no download and can be accessed here.
Malwarebytes issued a warning about the malicious map last week, and Reason Cybersecurity this week has followed up with its own blog post, reporting additional details on the scam, gathered by Reason Labs researcher Shai Alfasi.
The malware, found within a file called corona.exe, carries typical AZORult functionality, with the ability to steal credentials, payment card numbers, cookies and sensitive browser-based data and exfiltrate that information to a command-and-control server.
According to Alfasi, the malware specifically seeks out cryptocurrency wallets (including those for Electrum and Ethereum), the Telegram desktop app and Steam accounts. It can also take unauthorized screenshots, resolved and save a victim’s public IP address, and gather information on infect machines, including the OS system, architecture, hostname and username.
“The malware uses a few layers of packing as well as a multi-sub-process technique to make research more difficult,” the blog post notes. “As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future,” the report concludes.
Asked by SC Media how potential victims were being lured to the map, Alfasi responded, “The malicious map is not distributed via mail campaign or phishing. I believe the malware was burned down pretty fast before attackers could invest time on spreading tactics. When malware is getting caught before the spreading process, it means that the author didn’t take any sec-ops actions in order to keep it safe until the spreading process.”