Hackers Exploit Coronavirus Fears to Spread Malware

malwar- exploiting-coronavirus-worldstar-international-jsc

Fears for coronavirus, also known as COVID-19, spread worldwide impacting many countries. In times like these, you’d wish that the bad guys will have some decency not to exploit the situation for their benefit. However, that might be a little too much to ask. Numerous malware exploiting the increasing fear of coronavirus has been identified by AhnLab Security Emergency-response Center(ASEC). Many of which have used spear-phishing emails to trick users into downloading the malware.

malwar- exploiting-coronavirus-worldstar-international-jsc

Malicious email attachments disguised as an invoice for delayed delivery service have been identified downloading Lokibot info stealer malware (Figure 1).

malwar- exploiting-coronavirus-worldstar-international-jsc

Figure 1. Malicious email attachment disguised as invoice

Malicious attachments disguised as travel advisory for travelers have also been widely distributed (Figure 2). Once the user opens the word document and enables Macro, the malware is downloaded and executed.

malwar- exploiting-coronavirus-worldstar-international-jsc

Figure 2. Malicious word attachment disguised as travel advisory

But not all malware were found to be malicious. Some were just messing with the users’ interface, acting like a legitimate malware but simply interfering with the user’s activities,

malwar- exploiting-coronavirus-worldstar-international-jsc

Figure 3. Pop-up window disguised as legitimate malware

malwar- exploiting-coronavirus-worldstar-international-jsc

Figure 4. Explaining how to unlock the screen

Recently, ASEC analysts have identified malware being distributed disguised as a dashboard that delivers a real-time view of all confirmed and suspected cases of coronavirus, along with the number of recovered patients and deaths. The malware creates a temporary directory to download the malware and execute it.

First, the distributed file decodes the data listed below and injects it into a specific process.

malware- exploiting-coronavirus-worldstar-international-jsc

Figure 5. Injected data that was encoded

The injected data is then dropped into the temporary directory called “Coronavirus real-time status” (normal) and “jjutest1.exe” (malicious) before being executed. “Coronavirus real-time status.exe” file shows the coronavirus status via a pop-up window. The data may seem legitimate, but it does not accurately portray the real-time data published by the Centers for Disease Control and Prevention due to encoding issues.

In the meantime, “jjutest1.exe” is created and executed without any user interaction. The created file acts as a backdoor registering the Run Key for automatic execution and attempting to connect to a specific internal IP address (

malware- exploiting-coronavirus-worldstar-international-jsc

Figure 6. Information of the file version being distributed

AhnLab’s anti-malware product, V3, blocks the relevant malware using the following aliases:

<V3 Product Alias>

– Malware/Win32.RL_Generic.R3617803 (2019.12.07.01)

– Dropper/Win32.MSILKrypt.R327173 (2020.02.26.00)

– Trojan/Win32.Fsysna.R202348 (2017.06.13.00)

Threats exploiting coronavirus outbreak are increasing worldwide. Thereby, extreme caution is needed when dealing with unauthorized files and programs.


Source: AhnLab.com


Watch more related products→

This post is available in: enEnglish