Coronavirus Maps – Hackers Hide Malware to Infect Your PC!

Malicious actors hide data-stealing malware in coronavirus maps

Malicious actors continue to take advantage of the coronavirus outbreak to distribute malware and steal information. This time, they are disguising data stealing malware as a coronavirus map detailing infections around the world. Cybersecurity company Reason Security published a report detailing the malware after their cybersecurity researcher was able to analyse a sample.

“Reason Labs’ cybersecurity researcher, Shai Alfasi, found and analyzed this malware that had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser,” Reason Labs said in a post about the malware.

According to the researcher, the malware is a new strain of a known infection AZORult, a data stealer active since 2016. Among its malicious capabilities is stealing browsing history, cookies, ID and passwords, as well as installing other malware onto the infected computer. Other information like credit card numbers and cryptocurrency logins may also be exposed. It has been noticed that AZORult is commonly found sold on Russian underground forums.

How does the coronavirus map malware work

The malware is distributed via websites related to the coronavirus. For example, a site (such as Corona-Virus-Map[.]com) displaying a map of the coronavirus spread may encourage users to download a program that would help keep track of what is going on. While such sites may display legitimate data, they are not actually legitimate. They’re essentially a front so malicious actors can trick users into downloading malware.

If the malicious file corona.exe is downloaded and opened, a window will appear displaying information related to the coronavirus. A map of COVID-19 infections around the world also loads, and it strongly resembles the one maintained by Johns Hopkins University. Like the legitimate coronavirus map, the malicious one shows the total number of confirmed cases on the left, while total deaths and total recovered sections are on the right. The interactive map also allows one to check countries and their confirmed cases. The map shows mostly accurate, perhaps slightly outdated information because the data is taken from legitimate sources.

Once the malware is initiated, it can start its malicious activity in the background. Users would likely not even notice that it’s stealing their browser information, which may include sensitive data. Shai Alfasi, the Reason Labs researcher who analysed the sample, has also said AZORult may be targetting different cryptocurrency wallets like Electrum and Ethereum, Telegram Desktop and Steam accounts, as well as taking screenshots.

Preventing an infection

As is the case with all malware, using credible anti-malware software to delete AZORult and prevent it from stealing information is necessary. Detecting it manually, particularly for users who are oblivious to their computer’s behaviour, will be challenging, and deleting it could be impossible.

Furthermore, being cautious when downloading and opening files is also a good idea. It’s understandable that because of the ongoing coronavirus outbreak, many users are eager to find more information, but precisely at times like these cyber criminals become particularly active. Users need to be extra cautious to not download or open questionable files, especially if their computers do not have security software installed.