Dublin, Ireland, March 20, 2020 - As Coronavirus continues its rapid spread, Internet users are fearful of coming into contact with the virus and anxious for more information about the coronavirus outbreak. Cybercriminals are taking advantage of the coronavirus (COVID-19) pandemic and preying on vulnerable people's fears to spread malware. A number of cyber-attacks and strains of malware themed after COVID-19 have swept across different parts of the world over the last few days.
An advanced persistent threat (APT) is believed to be behind the March 2020 targeted attack dubbed 'Vicious Panda' that was also spreading coronavirus malware. The 'Vicious Panda' attack used phishing emails targeted at Mongolian government institutions. The emails came with RTF file attachments that allegedly contained important information about coronavirus. The payload contained in the malicious RTF attachments was a version of the RoyalRoad malware tool. Often associated with Chinese threat actors, the tool makes use of equation editor vulnerabilities in MS Word.
Coronavirus malware took a lot of different forms in a short span of time. In mid-March 2020, a new strain of ransomware appeared in the wild, named CoronaVi2020. Distributed primarily through spam emails and malicious attachments, the CoronaVi2020 ransomware asks for a relatively modest 0.008 BTC (roughly 50 USD) ransom and seems to be targeting regular home users instead of corporations and government institutions. The ransomware affects most common file types including images, databases and office files, with the ransomware appending its author’s email — coronaVi2022[at]protonmail[dot]ch — in front of affected files.
The Coronavirus ransomware was also spotted bundled with the info-stealer trojan Kpot. A malicious site was distributing an executable named WSHSetup.exe that was effectively a bundle carrying both the coronavirus ransomware and the Kpot Trojan. Kpot can scrape account information from a number of web browsers, email accounts, cryptocurrency wallets and game distribution clients.
Along with the desktop CoronaVi2022 ransomware, phones were hit by a malicious app posing as a coronavirus tracker. The mobile malware acted more or less like ransomware, locking the phone and asking for $250 in ransom. Thankfully, the mobile ransomware was a rushed job despite its very threatening messages to the victim. Security researchers were able to find a hardcoded universal key in the locker itself. Anyone who got the mobile coronavirus tracker ransomware can unlock their phone using the code '4865083501'. The discovery was made by the DomainTools security research team.
The sudden spike in coronavirus malware also made some older threats topical once again. The info-stealer AZORult that debuted back in 2016 made the headlines again, after it was used in a fake online COVID-19 infection and mortality tracking map. The real map is maintained by the science and engineering center of the Johns Hopkins University and is hosted on a completely different domain. The malicious site hosting the fake map copied its visual style perfectly but also distributed a payload named 'corona.exe' that contains AZORult and scrapes victim systems for cryptocurrency wallets and Steam accounts, among others. The domain that hosted the malicious online map has been taken down.
The best way home users can stay safe and protect their systems from coronavirus malware is to only download files from trusted sites, never click on any unsolicited links and double-check the address bar of their browser to see if the URL is spelled correctly and points to what they expect.
With real-world COVID-19 cases starting to grow exponentially in a number of new countries, computer users should expect hackers to continue taking advantage of this global health crisis.
About EnigmaSoft Limited
EnigmaSoft Limited is a privately held Irish company with offices and global headquarters in Dublin, Ireland. EnigmaSoft is best known for developing and distributing SpyHunter, an anti-malware software product and service. SpyHunter detects and removes malware, enhances Internet privacy, and eliminates security threats – addressing issues such as malware, ransomware, trojans, rogue anti-spyware, and other malicious security threats affecting millions of PC users on the web.