The unending coronavirus outbreak has already disrupted businesses globally, but in no way, it is obstructing cybercriminals. There are no signs of them slowing down however, cybercriminals are endeavoring all possible ways to make money out of this pandemic.
Back in January hackers used coronavirus emails to spread Emotet malware and now they are using coronavirus global pandemic maps to spread AZORult malware.
What are hackers doing this time?
The catastrophic spread of SARS-COV II that causes COVID-19 is giving hackers an opportunity to launch cyber-attacks.
As coronavirus becomes a pandemic, everyone wants to know – how rapidly it’s spreading and infecting people across the globe. This means hackers are targeting and tricking people with fake maps by giving information about COVID-19 at the front end by spreading malware in the background.
Several organizations like Johns Hopkins’ and others have developed dashboards to give out information about coronavirus COVID-19. But cybercriminals are using nasty Trickbot malware to exploit coronavirus fears.
How are hackers using COVID-19 dashboards to infect systems?
A security researcher Shai Alfasi at Reason Labs revealed how threat actors are taking advantage of this situation and creating fake coronavirus maps aka dashboards just like Johns Hopkins. All this involves the use of AZORult malware to steal and collect information like usernames, passwords, credit card details and other data stored in the browsers.
In simple words, unlike authentic dashboards these fake dashboards prompt users to download a small Win32 EXE file that embeds a file named Corona-virus-Maps.com.exe.
Double-clicking the file displays information about COVID-19 resulting in compromising the system and stealing all the saved information.
To make it look real in the center hackers show a map of infections similar to John Hopkins University.
In the left pane, it displays a geographical representation of the number of confirmed cases while on right you can see a number of cases recovered and deaths so far.
Img src: reason security
Using these false means, AZORult gathers confidential information. Further, this malicious binary file is capable of generating a secret admin account on a compromised machine to enable connection via a remote desktop protocol and collect information.
What information is at risk?
Hackers are using COVID-19 maps to steal information like usernames, passwords, credit card numbers, and other info stored in your browser.
What systems are infected?
Presently, only Windows machines are affected by malware. However, speculations are attackers soon other systems will be affected as hackers are working on a new version of this malware.
What are the signs of Infection?
Once Corona-virus.Map.Com.exe is executed it creates duplicate .exe files and multiple Bin.exe, Windows.Globalization.fontgroups.exe, and Build.exe files. In addition to this, a number of registers under ZoneMap and LangaugeList are also altered.
Is it a new threat?
The threat designed to steal information involves AZORult, an information-stealing software originated in 2016. This software is capable of stealing information like usernames, passwords, browsing history, financial details, cookies and cryptocurrency keys stored on the computer. Moreover, it can infect machines with other malware.
With this collected information cybercriminals steal sensitive data and use it for their own benefit.
In addition to this, a new variant of AZORult has been discovered installing a secret admin account on your computer to perform remote attacks.
How Attackers Steal Data?
The static loading of APIs associated with nss3.dll has been observed by Alfasi. The APIs help decrypt the saved passwords. This is a very common approach and hallmark of AZORult malware. Data collected from the compromised browser is moved to C:\Wndows\Temp folder after which malware extracts data, generates a unique ID for the infected machines, encrypts data and then goes for C2 communication.
What should you do to stay safe?
Certainly, it is important to keep yourself updated regarding coronavirus, but in doing so one should not forget to use verified dashboards and security tools like Advanced System Protector.
Hackers will do everything possible to get your data. It’s you who needs to take steps to secure data and stay protected.
In addition to this, to identify these fake sites, check the URL or details if none of them match the legitimate coronavirus dashboards, exit them immediately. Also, if you are asked to download any file or install any application for coronavirus tracking never falls for it. This is a way to spread malware.
“Be more suspicious than ever”
With this, it is clear that cybercriminals won’t stop, and they will exploit every chance to steal information. So, the only way to stay safe is to keep security tips in mind while looking for any information. What is your take on this?
Do you think whatever cybercriminals are doing is wrong? Or you say one should exploit every chance they get to make money? Do let us know what you think about it in the comments section.