Fake Corona Antivirus Software Used to Install Backdoor Malware

Fake Corona Antivirus Software Used to Install Backdoor Malware

Websites selling a bogus Corona Antivirus are taking benefit of the present COVID-19 pandemic to advertise and distribute a malicious payload that can infect the goal’s pc with the BlackNET RAT and add it to a botnet.

The 2 websites selling the pretend antivirus software program may be discovered at antivirus-covid19[.]website and corona-antivirus[.]com as found by the Malwarebytes Risk Intelligence group and researchers at MalwareHunterTeam, respectively.

Whereas the previous was already taken down since Malwarebytes’ report, the one noticed by MalwareHunterTeam remains to be energetic but it surely had its contents altered, with the malicious hyperlinks eliminated and a donation hyperlink added to assist the scammers’ efforts — spoiler alert, no donations had been made till now.

The malicious site

“Obtain our AI Corona Antivirus for the absolute best safety towards the Corona COVID-19 virus,” the positioning reads. “Our scientists from Harvard College have been engaged on a particular AI growth to fight the virus utilizing a cell phone app.

Final however not least, the malicious websites’ makers additionally point out an replace that can add VR sync capabilities to their pretend antivirus: “We analyse the corona virus in our laboratory to maintain the app at all times updated! Quickly a corona antivirus VR synchronization can be applied!”

If anybody would fall this, they might find yourself downloading an installer from antivirus-covid19[.]website/replace.exe (hyperlink is now down) that can deploy the BlackNET malware onto their techniques if launched.

BlackNET will add the contaminated machine to a botnet that may be managed by its operators:

• to launch DDoS assaults
• to add information onto the compromised machine
• to execute scripts
• to take screenshots
• to reap keystrokes utilizing a built-in keylogger (LimeLogger)
• to steal bitcoin wallets
• to reap browser cookies and passwords.

The BlackNET RAT, which was rated as ‘skidware malware‘ by MalwareHunterTeam, can also be succesful to detect if it is being analyzed inside a VM and it’ll examine for the presence of research instruments generally utilized by malware researchers, per c0d3inj3cT’s evaluation.

BlackNET command panel
BlackNET command panel

The malware additionally comes with bot administration options together with restarting and shutting down the contaminated units, uninstalling or updating the bot consumer, and opening seen or hidden internet pages.

One of many websites selling this bogus Corona Antivirus was noticed by MalwareHunterTeam on March 6, whereas the opposite was uncovered by Malwarebytes’ Risk Intelligence group in a report printed at this time.

In considerably associated information, an HHS.gov open redirect is at the moment abused by attackers to ship Raccoon info-stealing malware payloads onto targets’ techniques by way of a coronavirus-themed phishing marketing campaign.

The actors behind these ongoing phishing assaults use the open redirect to hyperlink to a malicious attachment that delivers a VBS script beforehand noticed whereas being employed by the operators behind Netwalker Ransomware to deploy their payloads.

The World Well being Group (WHO), the U.S. Cybersecurity and Infrastructure Safety Company (CISA), and the U.S. Federal Commerce Fee (FTC) have all warned about Coronavirus-themed phishing and assaults concentrating on potential victims from international locations across the globe (1, 2, three).

Ofer Eitan

Leave a Reply

Your email address will not be published. Required fields are marked *