Cybercriminals Distribute the AZORult Information Stealer With the Help of a Coronavirus Map

Coronavirus Map AZORult Password Stealer

You'd think that in the age of the internet, the distribution of truthful information, especially regarding events with worldwide impact, would be reliable and quick, but the reality is quite a bit different. Take the COVID-19 outbreak that everyone is talking about at the moment. In a recent article, we explained that the fake news surrounding the new coronavirus is spreading much more quickly than the virus itself. It's been a little over a month since our report came out, but it's safe to say that things haven't really changed.

People are still bombarded with false information regarding the origin of the disease, the dangers it poses, and the ways you can protect yourself. Meanwhile, the figures different news outlets post are contradictory at best and fail to give us a clear idea of how widespread the virus is.

It should come to you as no surprise that cybercriminals are trying to make the best out of this situation. Researchers from Reason Cyber Security recently wrote about a malware campaign that is using the lack of information around the new coronavirus outbreak in order to spread the AZORult password stealer.

A weaponized coronavirus map distributes malware

The file responsible for the malware infection is called "Corona-virus-Map.com.exe," and it was submitted to VirusTotal on March 2. This is where Reason's researchers found it, which means that the distribution method remains unknown. In light of another recent malware campaign tied to the coronavirus outbreak, however, it's a pretty safe bet that the crooks are using spam messages to disseminate the malicious executable.

The file's name suggests that click-happy users who open it expect to see an interactive map that gives them detailed information on the distribution and the damage caused by the new COVID-19 virus. Surprisingly or not, this is exactly what they get. The file opens a new window and displays quite a lot of details surrounding the crisis, including the number of confirmed cases, the death toll, and the number of people who have recovered successfully. It's difficult to say how accurate the data is, but as Reason's researchers pointed out, the interface of the map "looks very good and convincing." This, from the hackers' perspective, is just as well, because it acts as a smokescreen for what is really happening.

A complicated infection procedure installs the AZORult password stealer

Reason's researchers examined the processes launched by Corona-virus-Map.com.exe and found out that there are quite a few of them. Files are dropped, and a scheduled task is created, which ensures that the malware achieves persistence. After analyzing one of the processes, "Corona.exe," the experts realized that they are looking at a WinRAR archive that contains two self-extracting files, which launch yet more processes and make API calls to specific libraries. Seeing this behavior, the researchers were in no doubt that they were looking at a sample of the AZORult information stealer.

AZORult is far from the newest malware strain of its type. It's been around since 2016 and is said to have come from Russia. According to Reason's experts, however, cybercriminals from all over the world are still trading it on the underground forums, and as you can see, they are still using it against unsuspecting victims. There is a very good reason for this.

AZORult can steal a wide range of information. It first collects the victim's public IP, the OS version, the architecture, the hostname, and the account username. With the generic information in the bag, it takes a screenshot and starts looking for app-specific data. The malware checks the %AppData% folder for information regarding any saved Telegram and Steam accounts, and it also searches for the existence of wallets containing cryptocurrencies like Electrum and Ethereum. According to Reason's researchers, AZORult has the ability to create a new administrator account and allow RDP connections, which could make the victim vulnerable to a host of other attacks. It's not clear, however, whether it does that in the current campaign.

The malware's main objective is the theft of login credentials saved in the victim's browser, however, and Reason's researchers noted that there have been no significant changes to the mechanisms responsible for this part of the operation. The malware's Command & Control (C&C) server sends a list of browsers that are to be attacked, the login data from each one of them is scraped, and it's sent back to the C&C in a TXT file.

All in all, the crooks have a very powerful strain of information-stealing malware at their disposal. By using the hype and panic around COVID-19, they are maximizing the number of potential victims, and with a functioning interactive map showing actual information about the outbreak, they are further increasing their chances of a successful infection.

This is all completely understandable. It's only normal that people want to get more information about the coronavirus outbreak. What they should realize, however, is that an unexpected executable file in their inbox is probably not the best source. Try to get your news only from the people and organizations that can tell you the truth. This way, you'll be better prepared not only to defend yourself against COVID-19 but also against online threats like AZORult.

By Duran
March 11, 2020
March 11, 2020

Leave a Reply