Crooks use weaponized coronavirus map to deliver malware

Pierluigi Paganini March 12, 2020

While WHO declares the coronavirus outbreak a pandemic, crooks are attempting to exploit the situation to monetize their efforts.

Cybercriminals continue to exploit the fear in the coronavirus outbreak to spread malware and steal sensitive data from victims.

Experts from cybersecurity Reason reported cybercrimnals are using new coronavirus-themed attacks to deliver malware.

Crooks are targeting users interested in the map representing the infection of COVID-19, in the campaign uncovered by the experts, the attackers are tricking them into downloading and running a malicious application that shows a map loaded from a legit online source.

“This demand creates a vulnerability that malicious actors have quickly taken advantage of by spreading malware disguised as a “Coronavirus map”. reads the analysis published by Reason Labs. “Shai Alfasi, found and analyzed this malware that had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser.”

Attackers are using the weaponized Coronavirus map to steal sensitive and financial data and selling it on the dark web.

Once the victims run the executable, the malware shows a GUI that looks very good and convincing. Upon execution, the GUI window loads information from the Johns Hopkins website, while the malware runs in the background.

“The malware uses a few layers of packing as well as a multi-sub-process technique to make research more difficult. The malware also uses an information-stealing technique, which was first seen in 2016 and related to the “AZORult” malware family. To make sure the malware can persist and keep operating, it uses the “Task Scheduler”.” continues the analysis.

The campaign spotted by the experts aims at spreading the AZORult info stealer, a popular malware that was employed in numerous attacks to steal browsing history, cookies, ID/passwords, cryptocurrency and more.

The malicious code could be used also to download additional malicious payloads onto infected machines.

As the coronavirus continues, coronavirus-themed attacks will continue to target organizations and end-users.

The attack detailed by Reason Labs was first spotted by researchers from MalwareHunterTeam a few days ago.

Reason Labsì report also includes a link to the sample they have analyzed, ‘,’ along with indicators of compromise (IoCs).

Experts noticed that upon the execution of the, the malware creates duplicates of the file and multiple Corona.exe, Bin.exe, Build.exe, and Windows.Globalization.Fontgroups.exe files.

The malware also modifies several register entries under ZoneMap and LanguageList, and creates several mutexes.

Additional technical details are included in the analysis shared by Reason Labs.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – coronavirus, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment