The “other” (corona)virus: beware of malware that exploits the COVID-19 epidemic

The devil finds work for idle hands, the old saying goes. Perhaps he was also the one who planted a malignant idea in a hacker’s  head a few days ago: exploiting the hugely popular online map posted by Johns Hopkins University to hijack unsuspecting web surfers. The incident was unpleasant and motivated Esri, the GIS market leader and host of the map, to publish a clarification.

What happened?

The creator of a malicious, downloadable Windows-based application had the idea of inserting a call to the URL of the Johns Hopkins dashboard and display the results inside the application window. The effect is that of a screen nearly identical to the popular map, that has been used for several weeks by the general public all over the world to follow the spread of the pandepidemic.

“The malicious app once downloaded and installed deploys malware called AZORult which is designed to steal credentials in the background (among other activities)”, Esri explains on their website, and posts the screenshots of the malware and the original map side by side to point out both the similarity and the difference. The bottom line is that the malware requires downloading an executable, or to receive it by an email containing a dwonload link. Accessing the map with any standard web browser is fine.

“The malicious executable was removed from it’s initial download location hosted on a malicious site (not managed by Esri or Johns Hopkins), but it may appear again”, Esri warns. The popular map is a dashboard web application hosted by Esri as part of their ArcGIS Online offering.

The malicious app was found on a suspicious website. The dowloadable file carried typical AZORult functionality, with the ability to steal credentials, payment card numbers, cookies and sensitive browser-based data and exfiltrate that information to a command-and-control server. Malware bytes was the first to launch the alarm and inform that “we have now updated the detection name to Spyware.AzorUlt.”

That was not the whole story, as Malwarebytes explains. In Japan a whole Emotet campaign was launched by cybercriminals. Email spamming circulated malicious Word documents purporting to contain useful information on virus prevention. And that was not the only format used. A swathe of files circulated online, with the malware embedded in PDFs, MP4s and Docx files. The titles were suggestive of protection tips against the most feared virus.

Kaspersky disclosed that the following malicious agents were found in files with virus-related names:

  • VBS.Dinihou.r
  • Python.Agent.c
  • UDS: DangerousObject.Multi.Generic
  • WinLNK.Agent.ew
  • HEUR: Trojan.WinLNK.Agent.gen
  • HEUR: Trojan.PDF.Badur.b

Some phishing emails pushed it as far as claiming to come from the US Centers for Disease Control and Prevention. One specific scam detected by Malwarebytes was trying to direct victims to a purported donation page to help support government and medical research.

Luckily, the vaccine against this type of infection is always available: do not download and run suspicious apps or open suspicious links.

Image by Elchinator