Coronavirus Malware Exploits Global COVID-19 Fears to Infect Devices & Steal Data

DUBLIN - March 20, 2020 - PRLog -- As Coronavirus continues its rapid spread, Internet users are fearful of coming into contact with the virus and anxious for more information about the coronavirus outbreak. Cybercriminals are taking advantage of the coronavirus (COVID-19) pandemic and preying on vulnerable people's fears to spread malware. A number of cyber-attacks and strains of malware themed after COVID-19 have swept across different parts of the world over the last few days.

An advanced persistent threat (APT) is believed to be behind the March 2020 targeted attack dubbed 'Vicious Panda' that was also spreading coronavirus malware. The 'Vicious Panda' attack used phishing emails targeted at Mongolian government institutions. The emails came with RTF file attachments that allegedly contained important information about coronavirus. The payload contained in the malicious RTF attachments was a version of the RoyalRoad malware tool. Often associated with Chinese threat actors, the tool makes use of equation editor vulnerabilities in MS Word.

Coronavirus malware (https://www.enigmasoftware.com/coronavirusmalware-removal/) took a lot of different forms in a short span of time. In mid-March 2020, a new strain of ransomware appeared in the wild, named CoronaVi2020. Distributed primarily through spam emails and malicious attachments, the CoronaVi2020 ransomware asks for a relatively modest 0.008 BTC (roughly 50 USD) ransom and seems to be targeting regular home users instead of corporations and government institutions. The ransomware affects most common file types including images, databases and office files, with the ransomware appending its author's email — coronaVi2022[at]protonmail[dot]ch — in front of affected files.

The Coronavirus ransomware (https://www.enigmasoftware.com/coronavirusransomware-remo...) was also spotted bundled with the info-stealer trojan Kpot. A malicious site was distributing an executable named WSHSetup.exe that was effectively a bundle carrying both the coronavirus ransomware and the Kpot Trojan. Kpot can scrape account information from a number of web browsers, email accounts, cryptocurrency wallets and game distribution clients.

The best way home users can stay safe and protect their systems from coronavirus malware is to only download files from trusted sites, never click on any unsolicited links and double-check the address bar of their browser to see if the URL is spelled correctly and points to what they expect.

With real-world COVID-19 cases starting to grow exponentially in a number of new countries, computer users should expect hackers to continue taking advantage of this global health crisis.