Cybercriminals deploy a fake world map application showing the number of COVID-19 infections worldwide. Visitors are then infected with malware that tries to steal credentials and other sensitive data.
The security company Reason Cybersecurity discovered the method of spreading malware. By infecting visitors with a fake world map application, cybercriminals try to steal sensitive information stored in the browser. This includes for example login details and credit card numbers.
The malware is not completely new. To achieve this theft, hackers use AZORult. This malware was first discovered in 2016 and steals sensitive data from browser history. In addition, there is an AZORult variant that places a hidden admin account on a device to establish a Remote Desktop Protocol (RDP) connection to another device.
AZORult now has a versatile character. According to Reason Cybersecurity, in this case the main aim is to obtain information about cryptocurrency wallets (including ethereum), the desktop app of Telegram and Steam accounts.
Reason Cybersecurity also indicates that AZORult is mainly sold on underground Russian forums. The security company also believes it is likely that more ‘corona malware’ will spread in the coming period, as the coronavirus is also spreading further.
Cybercriminals generally use hypes and anxiety to spread malware. This is not the first time that the coronavirus has been abused by cybercriminals. For example, security company Sophos discovered an email campaign with so-called advices not to get infected, to actually try to infect users with malware.