I’ve already reported on the dangers online, as hackers hide behind our coronavirus obsession to target us with malicious malware. Well, here’s another variation on that theme, with a warning that tempting “Coronavirus Maps” are now being used to plant malware on victims’ computers. Reason Labs delved into this particular threat, albeit warnings about the map’s website had been issued before, cautioning users that such downloads will “steal credentials such as user names, passwords, credit card numbers and other sensitive information.”
The specific malware this time around is AZORult, which has been in the wild for four years now, stealing user information and acting as a dropper for other malware strains. AZORult has been doing the rounds among cybercriminals, changing hands on Russia’s underground forums, helping to fuel a range of malicious campaigns.
There’s no real limits to the data that AZORult has been known to sniff out on infected machines, and so for users the risks can be multifaceted—standard credentials, bitcoin wallets, chat platform history and messages, as well as installing backdoors into systems for further compromises.
Reason Labs researcher Shai Alfasi investigated the threat and explains in a blog that “when victims get infected, the malware extracts data and creates a unique ID of the victim’s workstation—The C2 server responds with configuration data, which contains target web browser names, web browser path information, API names, sqlite3 queries, and legitimate DLLs.”
It appears that credential theft is the primary target fo the malware this time around, and those credentials can be used for targeting other sites, contacts, financial platforms and even enterprises. “The password-stealing operation process is simple,” Alfasi says, “because the malware steals the ‘login data’ from the installed browser and moves it to ‘C:\Windows\Temp’.”
Users do not need to download an app to run risks, even interactive browser dashboards can be infected. And so you should avoid accessing any such maps or links under any circumstances. This particular .exe file appears to come from Johns Hopkins, and mimics a real map. It’s difficult to tell—but if you search for the legitimate site you will find the real information available there.
It isn’t difficult for hackers to play on our fears and use legitimate brands to disguise their ploys. As ever, the advice whether it’s websites, apps or emails, is only to seek information from legitimate health services and government bodies on original sites. When a story becomes as universal as this one, it’s a hackers’ paradise. It’s critical that we don’t play into their hands.