Johns Hopkins University has an excellent interactive map for tracking the coronavirus. Hackers think it’s excellent, too—as a vehicle for releasing malware into victims’ computers or phones.
Security firms have been tracking scam emails from numerous hackers offering a fully functioning replica of the Johns Hopkins interactive map. When a user takes the bait and opens the attachment, malware is installed on their computer that’s designed to steal passwords, credit card numbers, and other sensitive information.
The map was actually part of a “digital Coronavirus infection kit” developed by a member of several Russian language cybercrime forums, according to the blog of security researcher Brian Krebs. The person began selling the kit to other hackers late last month, Krebs notes. The seller’s pitch went like this:
It loads [a] fully working online map of Corona Virus infected areas and other data. Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!
The Java-based malware used in the attack is called AZORult, and it’s a nasty piece of work. First reported in 2016, it has been used in several kinds of malware schemes. Once inside a target computer, it can download additional malware, as well as search for and steal cryptocurrency.
“There is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections,” writes Reason Labs cybersecurity researcher Shai Alfasi in a blog post. That’s troubling because the variant could be used to target the millions of people who are now, or will soon be, working from home because of the coronavirus.
Security experts began sounding the alarm this week that hackers are now also delivering the same coronavirus map and the same malware via websites. The Israeli security firm Check Point found 4,000 new website domains related to the coronavirus, and that reports 3% of those sites contained malware.
The Johns Hopkins map scam is just one of the ways hackers have been leveraging the coronavirus to steal data.
Check Point said Thursday it had discovered a group of sophisticated Chinese hackers (dubbed “Vicious Panda”) that has been sending emails offering a fake coronavirus document from the Mongolian Health Ministry. When victims download the document, a piece of malware gains access to their computer or smartphone.
The “official documents” bait is a common tactic used by hackers exploiting the coronavirus outbreak. In recent weeks security researchers have found and analyzed emails containing such attachments or links originating in Japan, China, North Korea, and Russia.
In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) issued a statement on March 6 warning Americans of “emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes.” The emails often have subject lines containing the “coronavirus” term, CISA said.
Security pros advise that any attachment from anyone you don’t know sent over any medium should be considered dangerous. They also advise that as the virus spreads, cybercrooks will be continually looking for new ways to leverage the emergency to steal personal data.