support.is@cmclab.net (04) 3795 8282 - 1900 571 244
Cảnh báo hacker đang phát tán mã độc “Coronavirus Map” đánh cắp thông tin người dùng
.23 Mar

Warning hackers are spreading malicious code "Coronavirus Map" stealing user information

Taking advantage of the plague of the Covid-19 epidemic, hackers have attacked the need to capture information from people around the world to spread malware. The attacker tricked the user into downloading and running a malware whose interface was downloaded from a legitimate source but ran in the background.

The malware was identified as AZORult, a malware discovered in 2016, that collects web browser data such as cookies, browsing history, user id, passwords and even encryption keys.

In-depth analysis

Sample Corona-virus-Map.com.exe

Hash: 73da2c02c6f8bfd4662dc84820dcd983

File Type: Portable Executable 32

File Info: Microsoft Visual C ++ 8, Autoit

The attacker will trick the user into downloading a file called "Corona-virus-Map.com.exe". This file is written in Autoit so we can easily decompile and get the source code of the malicious code.

The script shows that it will create a folder at "%APPDATA% / Z11062600" and install two files, "Corona.exe", "Corona-virus-Map.com.exe" and then launch the two files.

Sample Corona-virus-Map.com.exe

Hash: 07b819b4d602635365e361b96749ac3e

File Type: Portable Executable 32

File Info: Microsoft Visual Studio .NET

The file "Corona-virus-Map.com.exe" is dropped onto the user's computer as a .Net file, through decompression and analysis. The main function of this file is to retrieve data from "hxxps: // gisanddata [.] Maps.arcgis [.] Com / apps / opsdashboard / index [.] Html# / bda7594740fd40299423467b48e9ecf6" to display to the user interface map of Covid-19 infection to gain trust that users do not suspect.

Sample Corona.exe

Hash: 1beba1640f5573cbac5552ae02c38f33

File Type: Portable Executable 32

File Info: Rar archive

File "Corona.exe" when launched will create two files, one is Corona.bat, the other is Corona.sfx.exe. In particular, the bat file has the following content:

@echo off
Corona.sfx.exe -p3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r -dC: \ Windows \ System32

The process of "Corona.exe" file will use cmd to run the file "Corona.bat" and from there launch "Corona.sfx.exe". This "Corona.sfx.exe" file will create and run another Corona.exe file that has the same function as the first Corona.exe file to create and launch the next two files, bin.exe and Build.exe in folder "%APPDATA% / Z58538177". To make it easier to imagine, we have the process graph as follows:

Sample bin.exe

Hash: c4852ee6589252c601bc2922a35dd7da

File Type: Portable Executable 32

File Info: Borland Delphi

This is the main executable file of the malicious code. Identified by security vendors as AZORult, a type of malware that steals data. Once on the computer, the malware victim will get all the identification information such as Guid, version information, username, computername and create a separate guid:

From the guid just created, the malware is used to mutex to prevent two malware programs from running at the same time.

The malware re-encodes the identity information and immediately decrypts the C&C address

The malicious code connects to the C&C server along with the identity information of the victim machine and the server returns large amounts of data

After the malicious code decodes the downloaded data, we can see that they download a list of dynamic libraries to the victim machine and write to the folder "%TEMPda"

The malware lists a lengthy list of links from which we can determine where the malicious code is targeted. They hijack the data of browsers such as Firefox, Chrome, Chronium, Brave, Edge, Comodo, Kometa, Cococ, Opera, 360, ... email clients such as Outlook, Thunderbird, ... and many more. The libraries are downloaded to provide the necessary functions so that an attacker can read the data.

For example, malware will query Outlook profile data in the registry

Or steal the password to access the firezilla server

 

Even the victim's virtual currency is touched

Finally, the malware sends the captured data and encrypts them and sends them back to the C&C server. Malware runs the command to delete files.

C: \\ Windows \\ system32 \\ timeout.exe 3 & del \ ”bin.exe \

Sample Build.exe

Hash: F6A5E02F46D761D3890DEBD8F2084D37 File Type: Portable Executable 32 File Info: UPX v3.0, Autoit

There are many tools that can help you unpack UPX such as CFF Explorer. This file, when executed, will make a copy to the folder "%APPDATA% / amd64_netfx4-system.runti..dowsruntime.ui.xaml.Globalization.Fontgroups.exe" and run. Just like the first dropper of malicious code, we only need to decompile the Autoit file to get the source code

We save a lot of time when this malicious code sample is not obfuscated too complicated. Through the process of analyzing and searching information, we can conclude that the main activity of the sample is to steal information from browser cookies, steal encryption keys, disable proxy configuration, change properties of file for anonymity.

IOC

Hash

  • MD5: 73da2c02c6f8bfd4662dc84820dcd983
  • MD5: 07b819b4d602635365e361b96749ac3e
  • MD5: 1beba1640f5573cbac5552ae02c38f33
  • MD5: c4852ee6589252c601bc2922a35dd7da
  • MD5: F6A5E02F46D761D3890DEBD8F2084D37
  • MD5: e9dcbecca02b600ce135f7d58b8cd830
  • MD5: 3cb9fc1ee05f49438455ba1aea3bca4e

Domain

  • coronavirusstatus [.] space

Cleaning steps

  • Find the above md5 files in directories:
    • %APPDATA% / Z11062600
    • %APPDATA% / Z58538177
    • %APPDATA% / amd64_netfx4-system.runti..dowsruntime.ui.xaml
  • End all processes of the above files (if any)
  • Delete all files above (if any and if the hash code is correct)
  • Delete task scheduler link to file Windows.Globalization.Fontgroups.exe> Also can use software of trusted antivirus vendors to handle

Conclude

The severity of the Covid-19 epidemic is undisputed. Bad guys are taking full advantage of the coronavirus-related information on the web and many may become prey to attacks. Users need to calmly protect themselves against biological viruses and computer viruses. > For a safe translation situation map, users should visit the website https://coronavirus.jhu.edu/map.html of Johns Hopkins University

Write a post

en_USEnglish
viVietnamese en_USEnglish