"Coronavirus map" is found to spread data-stealing malware

The name of the pandemic disease has been abused by cyber crooks

"Coronavirus map" is a way to spread information-gathering malwareHackers employ the Corona-virus-Map.com.exe to launch a malicious infection that includes some modules of AZORult trojan

Hackers decided to make the panic related to coronavirus to bring benefits for them. COVID-19 is a disease that became pandemic in March 2020 and a lot of people have been browsing the web to catch any relevant information regarding affected areas in the entire world. However, if you have recently installed Corona-virus-Map.com.exe, we have some bad news for you.

Unfortunately, crooks have been taking advantage of this interest and started distributing fake Coronavirus maps that are supposed to show users all the spreading places of the health threat. While the person might feel relieved when finding the information that he was searching for, there is a dangerous malware, the AZORult Trojan,[1] hidden inside the app. Once installed, it starts functioning in the background of the machine to gather sensitive data. The map is just a disguise.

Coronavirus is also a name spotted in other cyber attacks and phishing attempts

However, it is not the first time when the name of Coronavirus is being misused by bad actors. About a month ago, scammers posed as WHO (World Health Organization) and delivered numerous awareness notifications to random users.[2] The fake email message urged users to open the attached document by clicking on the “Safety measures” button to view all needed precautionary measures.

However, this is also just a trick used on those who have endless interest and fear of the disease. By downloading the attachment, users can unknowingly execute malware to their computers. Another time when the Coronavirus name was misused, criminals also sent phishing email messages which contained Word documents that were responsible for launching Emotet malware on computers.

The newly discovered “Coronavirus Maps” attack includes AZORult payload

Cybersecurity researchers from MalwareHunterTeam[3] and Reason Labs were the first ones to spot and analyze this infection. Shai Alfasi from the recent company discovered that “Coronavirus Maps” is a new malware form that also consists of the payload of AZORult Trojan virus that has also been recognized as a data-stealing parasite in the past.

The malware targets all types of sensitive information that is stored on the computer and web browsers. Besides gathering installed cookies, surfing habits, and online activities, the trojan can also capture the IDs of users, passwords that are used for logging into different online accounts, stored credentials, and other banking information. A more advanced variant of AZORult can initiate connections through RDP by employing a secret administrative account.

Corona-virus-Map.com.exe is the main executable of the distributed malware

According to cybersecurity researchers, the newly-discovered malware cames in the form of an executable that is named Corona-virus-Map.com.exe. It is supported by the Win 32-bit platform and takes only 3.26 MB of space. When the victim aims to access this file, he is provided with a map that shows places where COVID-19 (Coronavirus disease)[4] is spread worldwide. You might think that the information provided there is false but it truly is stolen from a legitimate map source that has already been released by Johns Hopkins University.

The Coronavirus Map includes red-colored places where the infection is widespread and overtakes many countries worldwide. Users can also view numbers of infected people in different locations on the left of the window and they can also count both deaths and recoveries on the right side.

Multiple processes are used for the execution of the malicious trojan

The execution process of the virus contains not only from the Corona-virus-Map.exe but also from other included executables such as Bin.exe, Corona.exe, Build.exe, and Windows.Globalization.Fontgroups.exe. According to Reason Labs report, the malware modifies some registers under the entries of LanguageList and ZoneMap, includes some mutexes by the name BasedNameObjects. However, this is just a small piece described how the attack works. More information can be found in the Reasons Labs report.[5]

According to researchers from the mentioned cyber company, the data-stealing process is what comes next. The experts launched an investigation and discovered that the password-gathering task looks easily manageable:

The password-stealing operation process is simple because the malware steals the “login data” from the installed browser and moves it to “C:\\Windows\\Temp”. The “login data” is based on Sqlite3 DB structure. To read the date the malware queries the SQLite data in order to extract the information. Once the extraction is over, the malware creates a file called “PasswordList.txt”, which holds all the information.

Furthermore, the researchers made an internal investigation on the Bin.exe code that was included in the malware and discovered that it was suited for searching for various digital currency wallets such as Ethereum and Electrum, Telegram Desktop, Steam accounts. The findings are screenshotted by the virus and saved in the scr.jpg file, the IP address of the computer is kept in the ip.txt component. Nevertheless, the Trojan virus is capable of gathering various system-related details such as the type of OS used, hostname, username, and architecture.

Malware such as trojans show almost none symptoms of infection

If you have been infected with a malicious piece of software through Corona-virus-Map.exe or another source, there is a big chance that you will not notice anything suspicious at first, especially if you are a less-experienced user. Trojans and other malware sneak into the system and stay silent to be persistent for a longer period of time.

The only things an attentive user might notice is that the CPU power has been rising for no accurate reason, programs and services have been operating slowly, windows are minimizing and maximizing with struggles, the computer system has become sluggish. Some other symptoms might include unknown processes running in the Windows Task Manager, suspicious entries placed in the Windows Registry. However, the best way to capture malware and protect yourself from it is by employing strong and reliable security tools. Do not be afraid to invest in your cyber safety.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions