Cybercriminals never leave an opportunity to exploit any vulnerability or situation to prey on users online. Even, they are taking advantage of the fear and panic caused by the spread of the 2019 Novel Coronavirus (2019-nCoV).
Shai Alfasi, a security researcher at Reason Labs, discovered that threat actors are spreading malware disguised as “Coronavirus map” to steal personal information like usernames, passwords, credit card numbers, and other sensitive information that is stored in the users’ browser. Attackers use the stolen information for illegal activities like gaining access to bank accounts or selling it on the deep web.
Attacking via Malicious Coronavirus Map
Attackers designed multiple websites related to coronavirus information to prompt users to click/download an application to keep updated on the situation. The website displays a map (looks like a genuine one) representing COVID-19 spread. It generates a malicious binary file and installs it on victims’ devices.
According to Alfasi, the new malware triggers a malicious software tracked as “AZORult”, which is an information stealer first discovered in 2016. Attackers use AZORult to steal users’ browsing history, cookies, ID/passwords, cryptocurrency, and is also able to download additional malware onto infected devices. Describing AZORult, Alfasi said, “AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. There is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections.”
“As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future,” Alfasi added.
Coronavirus Propagates Emotet Malspam Campaign in Japan
An Emotet malware spam (malspam) campaign, disguised as official notifications related to coronavirus from disability welfare service providers and public health centers was observed targeting audiences in Japan including the prefectures of Osaka, Gifu, and Totori.
Analysts from IBM X-Force and Kaspersky along with infosec community experts found that Emotet operators used previously compromised account templates to target potential victims for the Emotet malspam campaign. According to IBM, the attackers seem to be geo-targeting the email content and language to inflict fear among audiences in these areas, thus, making them more likely to click on the malicious attachment.