Corona-Malware the New Trend to Steal Your Data

Malware Sébastien Guisnet today27/04/2020 1084 2 5

Background
share close

This new malware (Corona-virus-Map.exe) masquerades as an application for monitoring cases of Coronavirus infections. This program is apparently a software allowing to visualize the infection map of Coronavirus, it is based on the official map ( https://gisanddata.maps.arcgis.com/apps/opsdashboard/index.html#/ bda7594740fd40299423467b48e9ecf6 ) by integrating browser viewing functionality as seen in the screenshot.


Execution of Corana Malware with Nucleon Smart Endpoint EDR

But this program also includes malware very well known by the name of AZORult . The purpose of this malware is to steal information from your browser’s profile.

We distinguish in the capture below the access to cookies and other information available in the profile of the Google Chrome browser:


Chrome data using Nucleon Smart Endpoint EDR

The malware performs various exports, as well as a screenshot, before sending everything in an archive to its command & control server:


Corona map Malware sending data to C&C

We note that the malicious program sends information to a server in the United States (coronavirusstatus.space), but that it also uses the telegram application to carry out communications:


Corona malware communication server analyzed by Nucleon

This malware uses different techniques to install on the machine as well as persistence techniques, through the investigation tool we easily identify the execution flow of the attack.


corona map malware investigation using Nucleon Smart Endpoint EDR

Written by: Sébastien Guisnet

Rate it

Previous post


Gain ground on cybercriminals


Start Free Trial Now

Background