Beware: Newly-Crafted Coronavirus Wiper Malware Targets Windows Users

Cybercriminals look at the current pandemic state of the world as nothing more than an opportunity for a cash-grab. These malicious individuals seize every chance to capitalize on people's fear regarding the COVID-19 virus, plaguing people for over five months now. They exploit people's craving for information relating to Coronavirus and use it to make money. They craft bogus sites, sham apps, forge maps, and so on. They have no shame, no scruples.

Below you can see depictions of the exponential growth of recently-registered COVID-19-related domains, as well as references to Coronavirus or COVID-19, associated with cyberattacks.

covid-19 domains
Registrations of COVID-19-related domains per day in 2020. Source: recordedfuture.com

covid-19 related cyberattacks
References to Coronavirus or COVID-19 used in association with cyberattacks and cyber exploits in two months. Source: recordedfuture.com

The latest Coronavirus-related malware to claim victims is a wiper of the same name. Taking 'inspiration' from the current COVID-19 pandemic, troubling people worldwide, the cybercrooks behind the attack chose to name it Coronavirus.

Researchers discovered that the Coronavirus wiper acts like a dangerous and destructive Trojan. Due to that fact, users not only call it Coronavirus wiper, but also Coronavirus Trojan. Its preferred victim? Windows users.

The Coronavirus wiper overwrites your master boot record (MBR), and its attack strategy, reminds experts of that of NotPetya wiper. The NotPetya threat roamed the web, plaguing users, in 2017. The initial resemblance between the two wipers, tremendously concerned security experts. That's because, back in its prime, NotPetya pulled astonishing numbers after its attacks, over $10 billion, to be exact. To help you put that into scale, even the WannaCry campaign, which got the world into a frenzy, ended up costing its victims between $4 billion and $8 billion.

Nothing has come close to NotPetya's 'accomplishments.' That's why experts shared grave concerns that the Coronavirus wiper may follow in NotPetya's footsteps. Fortunately for most, the newly-crafted malware does not compare to the behemoth blast from the past – NotPetya. Security experts estimate that the Coronavirus wiper is, by far, not the worst infection you could come across, but do state it's not one you should underestimate either.

How does the Coronavirus wiper spread?

In these uncertain times, when people fear for their health, family, income, and job security, the malicious crooks behind the threat, prey on their fears. The malware gets spread via a malvertising campaign. The cybercriminals behind it, send out a slew of phishing emails, carrying the infection, and do their best to ensure mass corruption. They make their corrupted emails as enticing as possible, promising financial relief for any trouble caused by the pandemic. They lure you into trusting their appealing lies, then proceed to dupe you into allowing the malware in your system. That only happens if you believe the contents of the email, and download a malicious attachment, or press a corrupted link, or do whatever else the email urges you to do.

Emails are among the most commonly used invasive ways for infections. Knowing that, do your best to be extra attentive when you get one. Double-check all the information you see, verify the sender as legitimate, click nothing without authenticating it as reliable. That vigilance can save you from a whirl of issues.

Naturally, spam email campaigns aren't the only method malware tools turn to when it comes to infiltration. They turn to peer-to-peer (p2p) networks, freeware, fake torrents, and sham applications. They have their pick of tricks, and it's up to you to spot their deception and prevent them from invading your machine.

phishing spam spread by hacker
A chart depicting the workings of a spam phishing campaign. Source: heimdalsecurity.com

What occurs after the invasion?

If the infection's attempts at infiltration succeed, and it winds up on your PC, here's what to expect. Once it gets executed, the malware begins its corruption process by installing an array of helper files. They get put in a temporary folder. An installer, in the form of a helper file named ''coronavirus.bat,'' sets up the infection's attack by making a hidden folder. It's called "COVID-19," and it gets chock-full of the previously dropped helper files. The purpose of that move is to ensure the malware stays hidden for as long as possible. That extra time in hiding allows it to perform the damage that it got designed to do.

Once that gets done, and the folder gets created, and now harbors the helper files, the installer ("coronavirus.bat") disables Windows Task Manager and User Access Control (UAC). That's yet another attempt at obfuscation. Then, it continues to change your wallpaper and disable your options to add or modify said wallpaper. It doesn't stop there as it also adds entries in the registry. All these actions get done for the infection's persistence on your PC. As soon the malware finishes doing them, it reboots, thus completing its installation process.

Then, a process called run.exe crafts a batch file named run.bat. Run.bat ensures that the registry modifications, performed by the "coronavirus.bat" installer, remain intact during rebooting. Once the reboot process ends, the malware executes two binaries. One of them shows you a window that has a picture of Coronavirus, which also displays two buttons. That binary's called "mainWindow.exe." At the very top of that window, you find a notification that informs you "coronavirus has infected your PC!" The two buttons share the text "Remove virus" and "Help." The "Remove virus" one does nothing, but the "Help" one displays a discouraging message to get you to 'stop trying to fix your computer.'

coronavirus threat windows warning
Depiction of the window with the two buttons, stating "coronavirus has infected your PC!" Source: zdnet2.cbsistatic.com

The second binary is the one that launches the full-on attack, and it's the one that overwrites the MBR. Experts have uncovered that your original MBR gets backed up in the first sector, and only after that, gets overwritten with a new one, and the MBR gets overwritten with the new code.

“Your computer has been trashed.”

The Coronavirus wiper strikes, and it turns your disk into an entirely unusable one. After it overwrites the MBR, you face a blank grey screen and a blinking cursor, with only the words "Your computer has been trashed" staring back at you.

coronavirus trojan malware alert
The "Your computer has been trashed" message after the Coronavirus wiper strikes. Source: media.threatpost.com

After the malware rewrites your MBR, it restarts your computer and allows the new MBR to run and block you into a pre-boot screen. At this point, you can no longer access your PC. Researchers assure users that they can eventually regain access to their PCs, but to do so, they'll require special applications. Ones used to recover and rebuild the MBR to a working state. But, according to malware experts, even if you don't manage to restore your MBR, you can still access and recover your data by mounting the drive.

If you wish to avoid dealing with the mess, the Coronavirus wiper springs on you, remember to be wary. Vigilance helps you to spot cybercriminals attempts at pushing infections on you. So, be thorough, catch them in the act, and hinder their success. Keep your guard up, and keep your system infection-free.

April 9, 2020
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.