Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your company’s network, becomes more important. However, you should be extra careful of bogus security software, especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//getCommand[.]php?[removed] hxxps[://]instaboom-hello[.]site//receive[.]php?command=[removed]
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
- Deploying DDOS attacks
- Taking screenshots
- Stealing Firefox cookies
- Stealing saved passwords
- Implementing a keylogger
- Executing scripts
- Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs. Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to our Machine learning engine.
We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to flag this website as a phish.
Indicators of compromise
You may be interested in...
Bogus corona antivirus
The post Fake “Corona Antivirus” distributes BlackNET remote administration tool appeared first on Malwarebytes Labs.