Last week, security experts from MalwareHunterTeam detected new ransomware dubbed CoronaVirus has been distributed through a malicious web site that was advertising a legitimate system optimization software and utilities from WiseCleaner.
In this campaign, crooks are exploiting the interest in the Coronavirus (COVID-19) outbreak to deliver a couple of malware, the CoronaVirus Ransomware and the Kpot information-stealing Trojan.
According to MalwareHunterTeam researchers, the ransomware may actually be a wiper.
The website was distributing a file named WSHSetup.exe, it is the downloader for both the CoronaVirus Ransomware and the Kpot password-stealer.
Upon execution, the executable will attempt to download several files from a remote web site, at the time of the analysis, only a few of them were available. One of these files is, ‘file1.exe,’ which is the Kpot password-stealing Trojan.
KPOT Stealer is a “stealer” malware that focuses on exfiltrating account information and other data from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software.
The malware is also able to take a screenshot of the active desktop and also target wallets stored on the computer.
The second file downloaded by the initial dropper is ‘file2.exe’, is the CoronaVirus Ransomware, it is able to target a broad range of files.
The filename of the encrypted files will be changed to the attacker’s email address (i.e. test.jpg will be enamed to ‘coronaVi2022@protonmail.ch___1.jpg‘).
The ransomware drops in any folder that contain encrypted files, and on the desktop, a ransom note named CoronaVirus.txt.
Operators demand 0.008 (~$50) bitcoins to decrypt the data, the operators used the bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j bitcoin wallet that has yet to receive any payment.
The ransomware also renames the C: drive to CoronaVirus, and on reboot, it displays a lock screen with the ransom note.
“Based on the low ransom amount, static bitcoin address, and political message, it is strongly suspected that this ransomware is being used more as a cover for the Kpot infection rather than to generate actual ransom payments.” reads the analysis published by BleepingComputer.
“BleepingComputer’s theory is that the ransomware component is being used to distract the user from realizing that the Kpot information-stealing Trojan was also installed to steal passwords, cookies, and cryptocurrency wallets.”
Additional technical details are reported in the analysis published by BleepingComputer.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – CoronaVirus ransomware, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by…
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
This website uses cookies.