Threat Overview
There has been an increase in cyber criminals weaponizing fears concerning the Coronavirus to deliver malware. Delivery of this malware is done largely through spam email campaigns where users receive emails with deceptive text and attached files (usually Microsoft Office files). When a user clicks on the attachment, they are prompted to enable macro commands in order for the file to load properly. If macros are enabled the attachment executes commands in the background to download and install malware, which the user may be completely unaware of. To raise awareness of these potential exploit attempts SKOUT’s Security Operations Center has analyzed a publicly available malware sample of a weaponized “live Coronavirus Map” download, which was used to deliver the malware variant known as “AZORult”.
The malware sample analyzed provides a convincing user interface to masquerade as the legitimate Coronavirus live map created by John Hopkins CSSE[1]. The map updates in real time which does give off appearance of legitimacy, however it is seen connecting to domains other than the original URL “www[.]arcgis[.]com”. These domains include “coronvirusstatus[.]space” and other domains following the nomenclature of “*[.]arcgis[.]com”. Thousands of coronavirus domains have been registered in recent weeks, with security researchers at Check Point releasing a report stating that over 4,000 coronavirus-related domains registered globally since January 20202. Users seeking the map should ensure they are downloading the legitimate live map1 by checking the domain in the URL to ensure it is legitimate and not potentially harboring AZORult.
AZORult is a banking malware trojan that can steal personally identifiable information (PII) including usernames/password, cookies, credit card details, cryptocurrency and other sensitive information that is stored in the user’s browser. Additionally, the malware creates a new, hidden administrator account on affected devices which attackers can use to connect to the device over Remote Desktop Protocol (RDP). When downloaded, there are two files that are self-extracted with hard-coded passwords to enable auto execution without the user’s knowledge. Once executed, a unique ID is created to identify the device, saved passwords are decrypted and C2 communication is started. This communication will provide target web browser names, API names, DLLs, and sqlite3 queries to store and export information.
For a full report containing IOCs and signatures, click here.
What are the Recommendations?
- Verify the authenticity of websites before downloading any software.
- Organization should implement two factor authentication for all account and a strong password policy.
- Provide security awareness training to users to spot phishing emails.
- Utilize a strong next-gen endpoint protection that blocks malware such as SKOUT Endpoint Protection.
- Utilize email protection service that can spot malicious emails and attachment before users interact with it such as SKOUT Email Protection.
- Ensure users have the least amount of privileges on their accounts.
- Turn off macros in Microsoft Office. Documents that require macros should never be received through email.
- Use a trusted web proxy, this will typically block connections attempting to be made to malware command and control (CnC) servers.
- Make sure your system is kept up to date with the latest patches and updates.
References
For more in-depth information about the recommendations, please visit the following links:
- https://blog.reasonsecurity.com/2020/03/09/covid-19-info-stealer-the-map-of-threats-threat-analysis-report/
- https://any.run/report/2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307/c89c573e-984c-4488-b940-258510a195de
- https://www.arcgis.com/apps/opsdashboard/index.html#/bda7594740fd40299423467b48e9ecf6
- https://blog.checkpoint.com/2020/03/05/update-coronavirus-themed-domains-50-more-likely-to-be-malicious-than-other-domains/
If you have any questions, please contact our Security Operations Center.
