With the Coronavirus (COVID-19) pandemic sweeping the globe, malware authors and threat actors have been working on schemes that take advantage of the fears of the populace. Malware that wipes PCs and destroys systems isn't something new, either wiping files or rewriting the Master Boot Record (MBR). Security researchers found new malware strains carrying the coronavirus theme and aimed at destruction, rather than the usual modus operandi of financial gain.
This Week In Malware Ep 11: Hackers Thrive on Covid-19 Themed Ransomware & Malware Attacks
MBR Rewriting Malware
Of the malware samples picked up by various security researchers in March 2020, the most advanced were two samples aimed at rewriting MBR sectors. The creation of that malware is aimed at making systems won't boot up at all once infected.
The first of these MBR rewriters was found by security researchers MalwareHunterTeam. Using the name COVID-19.exe, the malware infects computers and has two infection stages. In the first phase, the malware shows a window users can't close, since the threat disables the Windows Task Manager. Whenever the users try to close the window, the malware is rewriting the master boot record during the infection. Once the operation is complete, the malware performs a system reboot, and the new MBR kicks in, locking the users into a pre-boot screen. Users may eventually regain access, but much work may be necessary as well as specialized apps to recover and rebuild the MBR back to a working state.
There is a second coronavirus-themed malware strain that works on rewriting the MBR. Posing under the name 'CoronaVirus ransomware,' it is a more complex malware operation. The malware's primary function was to steal passwords and to mimic ransomware behavior to fool the users about the actual goal of the malware.
Once the data collecting work is done, the malware moves into a phase where it rewrites the MBR, blocking users into seeing a pre-boot message and preventing access to the infected PC. Users may end up seeing ransom notes, being blocked from using their machines, so the last thing they may guess is that their passwords were stolen in the process.
G DATA malware researcher Karsten Hahn discovered the second version of the malware. The malware kept the MBR rewrite abilities but replaced the data wiper with a screen locker instead.
Data Wipers During the COVID-19 Pandemic
Security researchers spotted more than one MBR rewriter, but also two data wipers. Malware HunterTeam discovered both of those. The first one was spotted in February 2020. It was using a Chinese name, likely targeted at Chinese users. There isn't enough information at this time about its distribution in the wild.
The second one was found and uploaded on VirusTotal by an Italian security researcher.
MalwareHunterTeam shared that both strains were what they considered poor wipers because of the inefficient and time-consuming methods used to erase files on infected machines. The wipers work, however, so they are still dangerous if they spread as part of a campaign or otherwise.