‘Coronavirus Maps’ and Scam Malware Infecting PCs to Steal Passwords | Ron Benvenisti

The pandemic level dispersion of COVID-19 not only requires utmost caution offline (to avoid contracting the disease) but also online. Cyber attackers are exploiting the coronavirus-related resources on the web. Particularly maps. Don’t fall prey to the attacks.

If you are looking for cartographic presentations of the spread of COVID-19 on the Internet you can inadvertently be tricked to download and run a malicious application that shows a legit online source but in the background compromises the computer.

It involves a well-known malware, AZORult, an information-stealing application discovered in 2016. AZORult malware collects information stored in web browser cookies, browsing histories, user IDs, passwords, and even cryptocurrency keys.

With this data in hand cybercriminals can steal credit card numbers, login credentials, and personally sensitive information.

One particularly malicious version is capable of generating a hidden administrator account to enable connections via the remote desktop protocol (RDP).

Double-clicking the file opens a window that shows various information about the spread of COVID-19. It is a replica  of the “map of infections” of the one hosted by Johns Hopkins University, a legitimate online source to visualize and track reported coronavirus cases in the real-time.

The information presented is not an just a view of random data, it is actual COVID-19 information pooled from the Johns Hopkins website.

To be noted, the original coronavirus map hosted online by Johns Hopkins University or ArcGIS is not infect or backdoored in any way and are safe to visit.

What make this particularly dangerous is you don’t even need to interact with the window or input sensitive information therein.


COVID-19 Discounts: Exploit Tools for Sale

The report comes following an uptick in the number of malicious coronavirus-related domains that have been registered since the start of January.

“In the past three weeks alone (since the end of February 2020), we have noticed a huge increase in the number of domains registered — the average number of new domains is almost 10 times more than the average number found in previous weeks,” the researchers said. “0.8 percent of these domains were found to be malicious (93 websites), and another 19 percent were found to be suspicious (more than 2,200 websites).”

Some of the tools available for purchase at a discounted price include “WinDefender bypass” and “Build to bypass email and chrome security.” Another hacking group, which goes by the moniker “SSHacker,” is offering the service of hacking into Facebook account for a 15 percent discount with “COVID-19” promo code. Another seller that goes by the name of “True Mac” is selling a 2019 MacBook Air model for a mere $390 as a “corona special offer.” It goes without saying the offer is a scam.


List of Coronavirus-Themed Attacks

The latest development adds to a long list of cyberattacks against hospitals and testing centers, phishing campaigns that distribute malware such as AZORuItEmotetNanocore RAT and TrickBot via malicious links and attachments, and execute malware and ransomware attacks that aim to profit off the global health concern.

  1. APT36, a Pakistani state-sponsored threat actor that targets the defense, embassies, and the government of India, was found running a spear-phishing campaign using Coronavirus-themed document baits that masqueraded as health advisories to deploy the Crimson Remote Administration Tool (RAT) onto target systems.
  2. Researchers from security firm IssueMakersLab uncovered a malware campaign launched by North Korean hackers that used boobytrapped documents detailing South Korea’s response to the COVID-19 epidemic as a lure to drop BabyShark malware. Recorded Future observed, “at least three cases where reference to COVID-19 has been leveraged by possible nation-state actors.”
  3. A COVID-19-themed malspam campaign targeted the manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic industries via Microsoft Word documents that exploits a two-and-a-half-year-old Microsoft Office bug in Equation Editor to install AZORult malware. The AZORult info stealer has also been distributed using a fraudulent version of the Johns Hopkins Coronavirus Map in the form of a malicious executable.
  4. A fake real-time coronavirus tracking Android app, called “COVID19 Tracker,” was found to abuse user permissions to change the phone’s lock screen password and install CovidLock ransomware in return for a $100 bitcoin ransom.
  5. Another phishing attack, uncovered by Abnormal Security, targeted students and university staff with bogus emails in a bid to steal their Office 365 credentials by redirecting unsuspecting victims to a fake Office 365 login page.
  6. Comment spamming attacks on websites that contained links to a seemingly innocuous coronavirus information website but redirected users to dubious drug-selling businesses.
  7. Aside from malware-laden spam emails, F-Secure researchers have observed a new spam campaign that aims to capitalize on the widespread mask shortage to trick recipients into paying for masks, only to send them nothing.

Staying Secure in the Digital COVID-19 Epidemic

It was Obama’s former AG, Eric Holder, who said “Never let a crisis go to waste”. This is the man responsible for the “Fast and Furious” Mexican gun running scandal which ended up putting American weapons in the hands of Mexican drug cartels where many Border Patrol agents wound up dead.  Similarly, these attacks exploit the coronavirus crisis, the panic and fear and people’s hunger for information about the outbreak. Given the impact on the security of businesses and individuals alike, so here I go again for the umpteenth time on TLS: It’s essential to avoid falling victim to online scams by practicing good digital hygiene:

Businesses should ensure that secure remote access technologiesare in place and configured correctly, including the use of multi-factor authentication, so that employees can conduct business just as securely from home.

  • Individuals should keep away from using unauthorized personal devices for work, and ensure “personal devices will need to have the same level of security as a company-owned device, and you will also need to consider the privacy implications of employee-owned devices connecting to a business network.”
  • Watch out for emails and files received from unknown senders. Most importantly, check a sender’s email address for authenticity, don’t open unknown attachments or click on suspicious links, and avoid emails that ask them to share sensitive data such as account passwords or bank information.
  • Use trusted sources, such as legitimate government websites — for up-to-date, fact-based information about COVID-19.

Watch for emails and directions to sites and as always, DO NOT CLICK and your computer won’t get sick.

But do pro-actively take precautions to protect against the “offline” COVID-19 for the health of your loved ones and yourself.

Stay safe.

Ron Benvenisti

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.