Info-Stealing Coronavirus Threat Map Detected

Written by

Cyber-criminals have launched a fake coronavirus threat map website to steal personal information from a panicked public.

The new site joins a growing number of scams exploiting COVID-19, proving that while the world may be running out of hand sanitizer, criminals are not running out of new ways to exploit human fear and curiosity.

The map was found doing its dirty work via the link corona-virus-map.com.exe by Reason Labs researcher Shai Alfasi. Victims who visit the page are shown a map of the globe highlighting to which countries the virus has spread together with stats on the number of deaths and infections recorded.

To give the fake and malicious map an extra aura of authenticity, criminals have designed it to mimic a legitimate COVID-19 threat map created by Johns Hopkins University that similarly shows countries hit by the virus together with the latest statistics.  

"The malware has a graphical user interface that looks very good and convincing," said Alfasi.

Alfasi discovered emails containing links to the bogus map. Victims who clicked on the links unknowingly activated malicious information-stealing software. 

"This technique is pretty common. I came across it once before, and after doing some digging around, discovered that this information-stealing tactic came from a malware family called 'AZORult,' which was first seen in the wild in 2016," said Alfasi.

AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. 

The malware can be used to steal browsing history, cookies, ID/passwords, cryptocurrency, credit card information stored in users' browser history, and more. It can also download additional malicious software onto infected machines. 

In the course of his research, Alfasi observed the malware "looking for different cryptocurrency wallets such as Electrum and Ethereum."

Describing how the malware works, Alfasi said: "When the victim gets infected, the malware extracts data and creates a unique ID of the victim’s workstation. It then applies XOR encryption using the generated ID. This ID is used to tag the workstation in order to start C2 communication. 

"The C2 server responds with configuration data, which contains target web browser names, web browser path information, API names, sqlite3 queries, and legitimate DLLs."

What’s hot on Infosecurity Magazine?