Malware developers are always looking for new technics to bypass security systems. In this article we will see how Windows Installer can be abused to deliver malicious code, and how the famous ransomware Maze uses this type of technic. Create malicious MSI files An MSI file is a compressed database [...]
This new malware (Corona-virus-Map.exe) masquerades as an application for monitoring cases of Coronavirus infections. This program is apparently a software allowing to visualize the infection map of Coronavirus, it is based on the official map ( https://gisanddata.maps.arcgis.com/apps/opsdashboard/index.html#/ bda7594740fd40299423467b48e9ecf6 ) by integrating browser viewing functionality as seen in the screenshot.
But this program also includes malware very well known by the name of AZORult . The purpose of this malware is to steal information from your browser’s profile.
We distinguish in the capture below the access to cookies and other information available in the profile of the Google Chrome browser:
The malware performs various exports, as well as a screenshot, before sending everything in an archive to its command & control server:
We note that the malicious program sends information to a server in the United States (coronavirusstatus.space), but that it also uses the telegram application to carry out communications:
This malware uses different techniques to install on the machine as well as persistence techniques, through the investigation tool we easily identify the execution flow of the attack.
