Real-Time Coronavirus Map Spreads Malware
Cybercriminals are constantly using breaking news headlines to draw public attention. Often, they do this for the purpose of sensationalizing the topic or spreading fake news. But recently cybercrooks started distributing accurate information in real-time: it was related to the Coronavirus/COVID-19 pandemic. The news about global infection rates was intended to infect readers PCs with malware.
In one of such schemes, an interactive dashboard showing the rates of Coronavirus infections and deaths developed by Johns Hopkins University is placed at malicious web sites. Cybercriminals apply it for spreading password-stealing malware.
Cybercriminals started selling a digital Coronavirus infection kit, with this interactive map used as a part of a Java-based malware deployment scheme, on several Russian cybercrime forums at the end of last month. The price was $200 per kit, in case the buyer already had a Java code signing certificate; if the buyer wished to use the seller’s one, the price was $700.
Here is how the kit seller describes his ‘product’: “The map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”
The customer’s payload could be bundled with the Java-based map into a filename, claims the seller in the forum sales thread, and adds that most Webmail providers, including Gmail, allow it in sent messages. However, the demonstration video shows that Gmail warns recipients that downloading the specific file type (which was obscured in the video) can be harmful. According to the seller, for the map and exploit to work, the future victim machine needs to have Java installed.
In his video, the seller explained that the loader loads .jar files, which contain an interactive Coronavirus map with real-time data, and a payload. The latter can be a separate loader which will be loaded after the map is launched. Alternatively, the predownloaded payload can be launched first.
Although it is unknown how many ‘customers’ this seller has provided his ‘product’ with, but earlier this week security experts started warning about new malicious websites, which used interactive versions of the same map. These sites tried to infect visitors’ machines with password-stealing malware called AZORult.
It is clear that malware distributors will keep using headlines about the pandemic as lures as long as this topic remains hot. It means that everybody should be wary of it and avoid opening attachments in email, even if they appear to come from familiar senders.