Get best of the week

Digital Coronavirus - A Combination of Ransomware and Infostealer

Various threats using the theme of coronavirus continue to appear on the network. And today we want to share information about one interesting instance that clearly demonstrates the desire of attackers to maximize their profits. A 2-in-1 threat calls itself CoronaVirus. And detailed information about the malware is under the cut.

image

Exploitation of the theme of coronavirus began more than a month ago. Attackers used the public interest in information about the spread of the pandemic, about the measures taken. A huge number of different widgets, special applications, and fake sites have appeared on the network that compromise users, steal data, and sometimes encrypt the contents of the device and require a ransom. This is exactly what the Coronavirus Tracker mobile app does, which blocked access to the device and required a ransom.

A separate topic for the spread of malware has become a mess with financial support measures. In many countries, the government has promised assistance and support to ordinary citizens and business representatives during a pandemic. And almost anywhere, getting this help is not simple and transparent. Moreover, many hope that they will be helped financially, but do not know whether they are included in the list of those who will receive state subsidies or not. And those who have already received something from the state are unlikely to refuse additional assistance.

This is exactly what attackers use. They send letters on behalf of banks, financial regulators, and social security agencies asking for help. You just need to follow the link ...

It is not difficult to guess that after a click on a dubious address a person ends up on a phishing site where he is invited to enter his financial information. Most often, along with the opening of the site, attackers try to infect a computer with a Trojan program aimed at stealing personal data and, in particular, financial information. Sometimes in the attachment to the letter is a password-protected file that contains “important information on how you can get support from the government” in the form of a spyware or ransomware.

In addition, programs from the Infostealer category have also recently begun to spread on social networks. For example, if you want to download some legitimate Windows utility, say wisecleaner [.] Best, Infostealer may well come with it. By clicking on the link, the user receives a bootloader that downloads malware along with the utility, and the download source is selected depending on the configuration of the victim’s computer.

Coronavirus 2022


Why did we spend this whole excursion? The fact is that the new malware, the creators of which did not think about the name for too long, just absorbed all the best and makes the victim happy with two types of attacks. On the one hand, the encryption program (CoronaVirus) is loaded, and on the other, KPOT infostealer.

Coronavirus ransomware


The encryptor itself is a small 44KB file. The threat is simple but effective. The executable file copies itself under a random name in %AppData%\Local\Temp\vprdh.exe, and also sets the key in the registry \Windows\CurrentVersion\Run. After placing the copy, the original is deleted.

Like most ransomware programs, CoronaVirus tries to delete local backups and disable shadowing files by executing the following system commands: Next, the software starts encrypting the files. The name of each encrypted file will contain at the beginning, and everything else remains the same. In addition, the ransomware changes the name of drive C to CoronaVirus.
C:\Windows\system32\VSSADMIN.EXE Delete Shadows /All /Quiet
C:\Windows\system32\wbadmin.exe delete systemstatebackup -keepVersions:0 -quiet
C:\Windows\system32\wbadmin.exe delete backup -keepVersions:0 -quiet

coronaVi2022@protonmail.ch__


image

In each directory that this virus managed to infect, a CoronaVirus.txt file appears, which contains payment instructions. The buyback is only 0.008 bitcoins or approximately $ 60. I must say, this is a very modest indicator. And here the point is either that the author did not set himself the goal of greatly enriching himself ... or, on the contrary, decided that this is a wonderful amount that each user sitting at home on self-isolation can pay. Agree, if you can’t go out, then $ 60 to make the computer work again is not so much.

image

In addition, the new Ransomware writes a small DOS executable in a folder for temporary files and registers it in the registry under the BootExecute key so that the instructions for making the payment are displayed the next time the computer is restarted. Depending on the parameters of the systems, this message may not be shown. However, after all files are encrypted, the computer will automatically restart.

image

KPOT infostealer


This Ransomware also comes with KPOT spyware. This infostealer can steal cookies and saved passwords from a variety of browsers, as well as from games installed on a PC (including Steam), Jabber messengers and Skype. His areas of interest also include access to FTP and VPN. Having done his job and stealing everything that is possible, the spy removes himself with the following command:

cmd.exe /c ping 127.0.0.1 && del C:\temp\kpot.exe

Already Not Only Ransomware


This attack, once again tied to the theme of the coronavirus pandemic, once again proves that modern ransomware seeks not only to encrypt your files. In this case, the victim runs the risk of stealing passwords to different sites and portals. Highly organized cybercriminal groups such as Maze and DoppelPaymer have already got the hang of using stolen personal data to blackmail users if they do not want to pay for file recovery. Indeed, suddenly they are not so important, or the user has a backup system that does not succumb to the Ransomware attack.

Despite its simplicity, the new CoronaVirus clearly demonstrates that cybercriminals also seek to increase their income and seek additional means of monetization. The strategy itself is not new - for several years now Acronis analysts have been observing attacks by cryptographers, who also plant financial trojans on the victim’s computer. Moreover, in modern conditions, an encryptor attack can generally be a diversion in order to divert attention from the main goal of attackers - data leakage.

One way or another, protection against such threats can only be achieved using an integrated approach to cyber defense. And modern security systems easily block such threats (both of which are components) even before starting work due to heuristic algorithms using machine learning technologies. In case of integration with the backup / disaster recovery system, the first damaged files will be restored immediately.

image

For those interested, the hash of the IoC files:

CoronaVirus Ransomware: 3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3
Kpot infostealer: a08db3b44c713a96fe07ec240c1540c440c1540c440c1540c2cd4cd4c4aaaaaaaaaaaaaaaaaaaaaa

More articles:


All Articles