Warning hackers are spreading malicious code "Coronavirus Map" stealing user information
Taking advantage of the plague of the Covid-19 epidemic, hackers have attacked the need to capture information from people around the world to spread malware. The attacker tricked the user into downloading and running a malware whose interface was downloaded from a legitimate source but ran in the background.
The malware was identified as AZORult, a malware discovered in 2016, that collects web browser data such as cookies, browsing history, user id, passwords and even encryption keys.
In-depth analysis
Sample Corona-virus-Map.com.exe
Hash: 73da2c02c6f8bfd4662dc84820dcd983
File Type: Portable Executable 32
File Info: Microsoft Visual C ++ 8, Autoit
The attacker will trick the user into downloading a file called "Corona-virus-Map.com.exe". This file is written in Autoit so we can easily decompile and get the source code of the malicious code.
The script shows that it will create a folder at "%APPDATA% / Z11062600" and install two files, "Corona.exe", "Corona-virus-Map.com.exe" and then launch the two files.
Sample Corona-virus-Map.com.exe
Hash: 07b819b4d602635365e361b96749ac3e
File Type: Portable Executable 32
File Info: Microsoft Visual Studio .NET
The file "Corona-virus-Map.com.exe" is dropped onto the user's computer as a .Net file, through decompression and analysis. The main function of this file is to retrieve data from "hxxps: // gisanddata [.] Maps.arcgis [.] Com / apps / opsdashboard / index [.] Html# / bda7594740fd40299423467b48e9ecf6" to display to the user interface map of Covid-19 infection to gain trust that users do not suspect.
Sample Corona.exe
Hash: 1beba1640f5573cbac5552ae02c38f33
File Type: Portable Executable 32
File Info: Rar archive
File "Corona.exe" when launched will create two files, one is Corona.bat, the other is Corona.sfx.exe. In particular, the bat file has the following content:
@echo off
Corona.sfx.exe -p3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r -dC: \ Windows \ System32
The process of "Corona.exe" file will use cmd to run the file "Corona.bat" and from there launch "Corona.sfx.exe". This "Corona.sfx.exe" file will create and run another Corona.exe file that has the same function as the first Corona.exe file to create and launch the next two files, bin.exe and Build.exe in folder "%APPDATA% / Z58538177". To make it easier to imagine, we have the process graph as follows:
Sample bin.exe
Hash: c4852ee6589252c601bc2922a35dd7da
File Type: Portable Executable 32
File Info: Borland Delphi
This is the main executable file of the malicious code. Identified by security vendors as AZORult, a type of malware that steals data. Once on the computer, the malware victim will get all the identification information such as Guid, version information, username, computername and create a separate guid:
From the guid just created, the malware is used to mutex to prevent two malware programs from running at the same time.
The malware re-encodes the identity information and immediately decrypts the C&C address
The malicious code connects to the C&C server along with the identity information of the victim machine and the server returns large amounts of data
After the malicious code decodes the downloaded data, we can see that they download a list of dynamic libraries to the victim machine and write to the folder "%TEMPda"
The malware lists a lengthy list of links from which we can determine where the malicious code is targeted. They hijack the data of browsers such as Firefox, Chrome, Chronium, Brave, Edge, Comodo, Kometa, Cococ, Opera, 360, ... email clients such as Outlook, Thunderbird, ... and many more. The libraries are downloaded to provide the necessary functions so that an attacker can read the data.
For example, malware will query Outlook profile data in the registry
Or steal the password to access the firezilla server
Even the victim's virtual currency is touched
Finally, the malware sends the captured data and encrypts them and sends them back to the C&C server. Malware runs the command to delete files.
C: \\ Windows \\ system32 \\ timeout.exe 3 & del \ ”bin.exe \
Sample Build.exe
Hash: F6A5E02F46D761D3890DEBD8F2084D37 File Type: Portable Executable 32 File Info: UPX v3.0, Autoit
There are many tools that can help you unpack UPX such as CFF Explorer. This file, when executed, will make a copy to the folder "%APPDATA% / amd64_netfx4-system.runti..dowsruntime.ui.xaml.Globalization.Fontgroups.exe" and run. Just like the first dropper of malicious code, we only need to decompile the Autoit file to get the source code
We save a lot of time when this malicious code sample is not obfuscated too complicated. Through the process of analyzing and searching information, we can conclude that the main activity of the sample is to steal information from browser cookies, steal encryption keys, disable proxy configuration, change properties of file for anonymity.
IOC
Hash
- MD5: 73da2c02c6f8bfd4662dc84820dcd983
- MD5: 07b819b4d602635365e361b96749ac3e
- MD5: 1beba1640f5573cbac5552ae02c38f33
- MD5: c4852ee6589252c601bc2922a35dd7da
- MD5: F6A5E02F46D761D3890DEBD8F2084D37
- MD5: e9dcbecca02b600ce135f7d58b8cd830
- MD5: 3cb9fc1ee05f49438455ba1aea3bca4e
Domain
- coronavirusstatus [.] space
Cleaning steps
- Find the above md5 files in directories:
- %APPDATA% / Z11062600
- %APPDATA% / Z58538177
- %APPDATA% / amd64_netfx4-system.runti..dowsruntime.ui.xaml
- End all processes of the above files (if any)
- Delete all files above (if any and if the hash code is correct)
- Delete task scheduler link to file Windows.Globalization.Fontgroups.exe> Also can use software of trusted antivirus vendors to handle
Conclude
The severity of the Covid-19 epidemic is undisputed. Bad guys are taking full advantage of the coronavirus-related information on the web and many may become prey to attacks. Users need to calmly protect themselves against biological viruses and computer viruses. > For a safe translation situation map, users should visit the website https://coronavirus.jhu.edu/map.html of Johns Hopkins University