Photo Credit: Reason Lab
Hackers have found a way to steal private information from users by using maps that show the spread of coronavirus. A threat analysis report on the matter states that hackers are spreading malware which they disguise as a coronavirus map. This malware, when analysed, was found to steal user credentials which include passwords, credit card numbers, and other information from the browser. It was found that this malware used a known malicious software called AZORult to steal sensitive information from users.
The report by cyber-security researcher Shai Alfasi, from Reason Labs, claims that hackers were modifying URLs or adding different details while maintaining the genuine look of the original website, preventing users from realising something is wrong. The report states that the malware's graphic user interface (GUI) looks very convincing and it collects information from the Web to show accurate readings for coronavirus. Once the user visits these websites, they are prompted for a download which is disguised as an app that gives latest information on the spread of the virus.
This app then collects private data which the hackers can use to selling on the deep Web, accessing social media, or exploiting bank accounts. According to the report, the malware “activates a strain of malicious software known as AZORult” which was first discovered in 2016. “It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more. It can also download additional malware onto infected machines,” it adds.
One of the apps analysed by Alfasi was called Corona-virus-Map.com.exe. It is 3.26MB and since it is present in .exe format, can only infect Windows machines as of now. Shai ran ‘procmon' at the same time as the malware app and found a “multi-sub process that was created by ‘CoronaMap.exe' which is not the root process.” This .exe file creates another file called Corona.exe which is an archive which contains execution commands. After further investigation, Shai found that the malware stole login data from the users browser and moved it to ‘C:\Windows\Temp' and creates a filed called ‘PasswordList.txt' that stores all the information.
The complete research has been published on the Reason Labs blog.