Posted on March 12, 2020 at 11:41 AM
With the spread of coronavirus disrupting business and economic activities all over the world, hackers are taking advantage of the situation to attack computers.
They are now capitalizing on people’s fear about the virus by disguising as coronavirus informants to infect computers. They take advantage of dashboards created by organizations to inform people about the spread of the virus.
Earlier in January, hackers launched email campaigns and infected computers with malware by convincing users to open emails containing information about the coronavirus. Several computers were infested at that period, and it seems the hackers have come again with another strategy with the same coronavirus story.
John Hopkins University and many other organizations are creating dashboards to keep people informed about the spread of the disease. A lot of people are always getting information about the disease from these organizations.
But cybercriminals have found ways to spread malware into computers through these dashboards.
Criminals talking advantage of maps and dashboards
According to a security researcher at Reason Labs, Shai Alfasi, the cybercriminals are taking advantage of these maps to steal users’ sensitive information, including their credit card details, passwords, usernames, and other relevant details stored in their browser.
The researchers said the hackers begin their hacking journey by setting up fake websites about coronavirus and ask the user to download an application that will keep them updated on the virus. To make it convincing, the application shows the user a map of the spread of coronavirus.
Users don’t need to install the application before it infiltrates into their system. The websites look genuine for tracking the spread of coronavirus, but they have a different url.
Although the malware has succeeded in infecting only Windows-based computers, the researchers believe the cybercriminals could redesign a version that will infect other operating systems.
Malicious software AzoRult used in attack
Alfasi said that the cybercriminals utilized AzoRult, a malicious software discovered in 2016, to invade computers. The software is not only designed to steal information from the user’s computer but also used to administer other malware in the system. That is why it’s very dangerous because it could be the single source of a host of other malware in a single computer.
“It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more,” the researcher noted. “It can also download additional malware onto infected machines,” Alfasi reiterated.
Alfari explained how the AZORult malware is used to cause havoc in systems. He said that when the computer is infected, the malware steals data and establishes a unique ID of the victim’s workstation.
Once connection to the workstation is established, the server gives out configuration data, including legitimate DLLs, splite3 queries, API names, and web browser path information.
Earlier this month, Checkpoint security researchers pointed out that over 50% of coronavirus-based domains were designed to install the malware in computers.
Protection against such attacks
Security researchers have advised users how to make sure they are not victims of cybercriminals who are disguising as coronavirus informants to attack their computer.
They said even though it’s important to get updates about the deadly pandemic, users should only seek information from recognized sources.
They should only use verified and credible dashboards and maps as well. The researchers also advised users to avoid downloading files from coronavirus tracking websites, as these files could contain malware that will infect their computers.
The AZORult software is usually sold in Russian black hat forums. Its primary used is to steal sensitive information from infected systems.
Alfasi said it’s very easy to spot the fake websites as they usually have details or URLs that are not the same with legitimate coronavirus dashboards. That’s why it’s important for the users to know the URLs and details of those legitimate coronavirus maps and dashboards.
And there is a new version of the malware that secretly installs admin account on computers to carry out remote attacks.
The AZORult malware doesn’t have a limit on the type of data or files it steals. That is why the risk of having the malware roaming around in the system is multifaceted. They could steal messages, chat platform history, bitcoin wallets, standard credentials, and install backdoors into the computer for future attacks.