Threat Management, Malware

Malicious coronavirus map hides AZORult info-stealing malware

Cyberattackers continue to seize on the dire need for information surrounding the novel coronavirus. In one of the latest examples, adversaries have created a weaponized coronavirus map app that infects victims with a variant of the information-stealing AZORult malware.

The malicious online map, found at www.Corona-Virus-Map[.]com, appears very polished and convincing, showing an image of the world that depicts viral outbreaks with red dots of various sizes, depending on the number of infections. The map appears to offer a tally of confirmed cases, total deaths and total recoveries, by country, and cites Johns Hopkins University's Center for Systems Science and Engineering as its supposed data source.

There is a genuine, safe version of the Johns Hopkins coronavirus map. It requires no download and can be accessed here.

Malwarebytes issued a warning about the malicious map last week, and Reason Cybersecurity this week has followed up with its own blog post, reporting additional details on the scam, gathered by Reason Labs researcher Shai Alfasi.

The malware, found within a file called corona.exe, carries typical AZORult functionality, with the ability to steal credentials, payment card numbers, cookies and sensitive browser-based data and exfiltrate that information to a command-and-control server.

According to Alfasi, the malware specifically seeks out cryptocurrency wallets (including those for Electrum and Ethereum), the Telegram desktop app and Steam accounts. It can also take unauthorized screenshots, resolve and save a victim's public IP address, and gather information on infect machines, including the OS system, architecture, hostname and username.

"The malware uses a few layers of packing as well as a multi-sub-process technique to make research more difficult," the blog post notes. "As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future," the report concludes.

Asked by SC Media how potential victims were being lured to the map, Alfasi responded, "The malicious map is not distributed via mail campaign or phishing. I believe the malware was burned down pretty fast before attackers could invest time on spreading tactics. When malware is getting caught before the spreading process, it means that the author didn't take any sec-ops actions in order to keep it safe until the spreading process."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.