Fears for coronavirus, also known as COVID-19, spread worldwide impacting many countries. In times like these, you’d wish that the bad guys will have some decency not to exploit the situation for their benefit. However, that might be a little too much to ask. Numerous malware exploiting the increasing fear of coronavirus has been identified by AhnLab Security Emergency-response Center(ASEC). Many of which have used spear-phishing emails to trick users into downloading the malware.
Malicious email attachments disguised as an invoice for delayed delivery service have been identified downloading Lokibot info stealer malware (Figure 1).
Malicious attachments disguised as travel advisory for travelers have also been widely distributed (Figure 2). Once the user opens the word document and enables Macro, the malware is downloaded and executed.
But not all malware were found to be malicious. Some were just messing with the users’ interface, acting like a legitimate malware but simply interfering with the user’s activities,
Recently, ASEC analysts have identified malware being distributed disguised as a dashboard that delivers a real-time view of all confirmed and suspected cases of coronavirus, along with the number of recovered patients and deaths. The malware creates a temporary directory to download the malware and execute it.
First, the distributed file decodes the data listed below and injects it into a specific process.
The injected data is then dropped into the temporary directory called “Coronavirus real-time status” (normal) and “jjutest1.exe” (malicious) before being executed. “Coronavirus real-time status.exe” file shows the coronavirus status via a pop-up window. The data may seem legitimate, but it does not accurately portray the real-time data published by the Centers for Disease Control and Prevention due to encoding issues.
In the meantime, “jjutest1.exe” is created and executed without any user interaction. The created file acts as a backdoor registering the Run Key for automatic execution and attempting to connect to a specific internal IP address (192.168.123.107:777).
AhnLab’s anti-malware product, V3, blocks the relevant malware using the following aliases:
<V3 Product Alias>
– Malware/Win32.RL_Generic.R3617803 (2019.12.07.01)
– Dropper/Win32.MSILKrypt.R327173 (2020.02.26.00)
– Trojan/Win32.Fsysna.R202348 (2017.06.13.00)
Threats exploiting coronavirus outbreak are increasing worldwide. Thereby, extreme caution is needed when dealing with unauthorized files and programs.
This post is available in: English