Cyberattackers continue to seize on the dire need for information surrounding the novel coronavirus. In one of the latest examples, adversaries have created a weaponized coronavirus map app that infects victims with a variant of the information-stealing AZORult malware.
The malicious online map, found at www.Corona-Virus-Map[.]com, appears very polished and convincing, showing an image of the world that depicts viral outbreaks with red dots of various sizes, depending on the number of infections. The map appears to offer a tally of confirmed cases, total deaths and total recoveries, by country, and cites Johns Hopkins University’s Center for Systems Science and Engineering as its supposed data source.
Malwarebytes issued a warning about the map last week, and Reason Cybersecurity this week has followed up with its own blog post, reporting additional details on the scam, gathered by Reason Labs researcher Shai Alfasi.
The malware, found within a file called corona.exe, carries typical AZORult functionality, with the ability to steal credentials, payment card numbers, cookies and sensitive browser-based data and exfiltrate that information to a command-and-control server.
According to Alfasi, the malware specifically seeks out cryptocurrency wallets (including those for Electrum and Ethereum), the Telegram desktop app and Steam accounts. It can also take unauthorized screenshots, resolved and save a victim’s public IP address, and gather information on infect machines, including the OS system, architecture, hostname and username.
“The malware uses a few layers of packing as well as a multi-sub-process technique to make research more difficult,” the blog post notes. “As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future,” the repot concludes.