The recently discovered weaponized coronavirus map found to infect victims with a variant of the information-stealing AZORult malware has been sold online by Russian language cybercrime forums, according to a new report.
Security expert Brian Krebs states in a blog post published this week that the live, interactive map dashboard was part of an infection kit designed for a Java-based malware deployment operation.
Reportedly, the forums began selling the kit starting late last month. Prospective buyers with a Java code signing certificate can buy the kit for $200, but the price jumps to $700 if the purchaser wants to buy the seller's certificate, Krebs' report adds.
The sales thread on the forum also reportedly says that an attacker's malware payload can be bundled with the Java-based map into a filename in such a manner that most Webmail providers will allow the message to successfully reach the target. A video demonstration on the forum also shows that Gmail will overlook the malicious bundle, albeit with a warning that the file might be harmful, Krebs reported.
The kit "loads [a] fully working online map of Corona Virus infected areas and other data," the seller reportedly states. "Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader)... Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first."
Cyberattackers continue to seize on the dire need for information surrounding the novel coronavirus. Malwarebytes has already issued a warning about the malicious map, and Reason Security followed up with its own blog post, reporting additional details on the scam, gathered by Reason Labs researcher Shai Alfasi.
The map, which was found at the domain www.Corona-Virus-Map[.]com, appears very polished and convincing, showing an image of the world that depicts viral outbreaks with red dots of various sizes, depending on the number of infections. The map appears to offer a tally of confirmed cases, total deaths and total recoveries, by country, and cites Johns Hopkins University's Center for Systems Science and Engineering as its data source.
Reason Security reported that malware it observed, found within a file called corona.exe, carries typical AZORult functionality, with the ability to steal credentials, payment card numbers, cookies and sensitive browser-based data and exfiltrate that information to a command-and-control server.
According to Alfasi, the malware specifically seeks out cryptocurrency wallets (including those for Electrum and Ethereum), the Telegram desktop app and Steam accounts. It can also take unauthorized screenshots, resolved and save a victim's public IP address, and gather information on infect machines, including the OS system, architecture, hostname and username.
"The malware uses a few layers of packing as well as a multi-sub-process technique to make research more difficult," the blog post notes. "As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future," the report concludes.
"Coronavirus is a formidable and fairly unprecedented opportunity to trick panicking people amid the global havoc and mayhem. In light of the spiraling uncertainty and fake news, even experienced cybersecurity professionals may get scammed," said lia Kolochenko, founder and CEO of web security company ImmuniWeb. "Organizations should urgently consider implement and promulgate a clear, centralized and consistent internal process to communicate all the events and precautions related to the coronavirus pandemic. Corporate cybersecurity and security awareness should constitute an invaluable part of such communications, as cybercriminals are profiteering from obscurity and uncertainty."
