Various threats using the theme of coronavirus continue to appear on the network. And today we want to share information about one interesting instance, which clearly demonstrates the desire of attackers to maximize their profits. A 2-in-1 threat calls itself CoronaVirus. Detailed information about the malware is under the cut.
Exploitation of the topic of coronavirus began more than a month ago. The attackers used the public interest in information about the spread of the pandemic, about the measures taken. A huge number of various informers, special applications and fake sites have appeared on the network that compromise users, steal data, and sometimes encrypt the contents of the device and demand a ransom. This is exactly what the Coronavirus Tracker mobile app does, which blocked access to the device and demanded a ransom.
A separate topic for the spread of malicious programs was the confusion with financial support measures. In many countries, the government has promised help and support to ordinary citizens and businesses during the pandemic. And almost nowhere is the receipt of this assistance simple and transparent. Moreover, many hope that they will be helped financially, but do not know whether they are included in the list of those who will receive state subsidies or not. And those who have already received something from the state are unlikely to refuse additional assistance.
This is what attackers use. They send out letters on behalf of banks, financial regulators and social security authorities, in which they offer to receive assistance. All you have to do is follow the link...
It is not difficult to guess that after clicking on a dubious address, a person ends up on a phishing site, where he is asked to enter his financial information. Most often, simultaneously with the opening of the site, attackers try to infect the computer with a Trojan program aimed at stealing personal data and, in particular, financial information. Sometimes email attachments include a password-protected file that contains βimportant information about how you can get government supportβ in the form of spyware or ransomware.
In addition, programs from the Infostealer category have also recently begun to spread on social networks. For example, if you want to download some legitimate Windows utility, say wisecleaner[.]best, Infostealer might well come bundled with it. By clicking on the link, the user receives a downloader that downloads malware along with the utility, and the download source is selected depending on the configuration of the victim's computer.
Coronavirus 2022
Why did we do this whole tour? The fact is that the new malware, whose creators did not think too long about the name, just absorbed all the best and pleases the victim with two types of attacks at once. On the one hand, the encryption program (CoronaVirus) is loaded, and on the other, KPOT infostealer.
Coronavirus ransomware
The ransomware itself is a small 44KB file. The threat is simple but effective. The executable copies itself under a random name to %AppData%LocalTempvprdh.exe, and also sets the key in the registry WindowsCurrentVersionRun. After placing the copy, the original is deleted.
Like most ransomware, CoronaVirus attempts to remove local backups and disable file shadowing by running the following system commands:
C:Windowssystem32VSSADMIN.EXE Delete Shadows /All /Quiet
C:Windowssystem32wbadmin.exe delete systemstatebackup -keepVersions:0 -quiet
C:Windowssystem32wbadmin.exe delete backup -keepVersions:0 -quiet
Next, the software starts to encrypt the files. The name of each encrypted file will contain [email protected]__ at the beginning, and everything else remains the same.
In addition, the ransomware changes the name of the C drive to CoronaVirus.
In each directory that this virus managed to infect, a CoronaVirus.txt file appears, which contains payment instructions. The ransom is only 0,008 bitcoins or approximately $60. Needless to say, this is a very modest figure. And here the point is either that the author did not set himself the goal of becoming very rich ... or, on the contrary, decided that this is a wonderful amount that every user sitting at home in self-isolation can pay. Agree, if you are not allowed to go out, then $60 for the computer to work again is not so much.
In addition, the new ransomware writes a small DOS executable file in the temporary files folder and registers it in the registry under the BootExecute key so that payment instructions will be shown the next time the computer is restarted. Depending on system settings, this message may not be displayed. However, once all files are encrypted, the computer will automatically restart.
KPOT infostealer
This ransomware also comes with KPOT spyware. This infostealer can steal cookies and saved passwords from a variety of browsers, as well as PC games (including Steam), Jabber and Skype instant messengers. His area of ββinterest also includes the details of access to FTP and VPN. Having done his job and stealing everything he can, the spy deletes himself with the following command:
cmd.exe /c ping 127.0.0.1 && del C:tempkpot.exe
No longer just ransomware
This attack, once again tied to the theme of the coronavirus pandemic, proves once again that modern ransomware seeks not only to encrypt your files. In this case, the victim runs the risk of theft of passwords to various sites and portals. Highly organized cybercriminal groups like Maze and DoppelPaymer are already good at using stolen personal data to blackmail users if they don't want to pay for file recovery. Indeed, suddenly they are not so important, or the user has a backup system that is not amenable to ransomware attacks.
Despite its simplicity, the new CoronaVirus clearly demonstrates that cybercriminals are also looking to increase their income and are looking for additional means of monetization. The strategy itself is not new - for several years now, Acronis analysts have been observing ransomware attacks that also plant financial Trojans on the victim's computer. Moreover, in modern conditions, a ransomware attack can generally play the role of sabotage in order to divert attention from the main goal of intruders - data leakage.
One way or another, it is possible to provide protection against such threats only using an integrated approach to cyber defense. And modern security systems easily block such threats (both of them) even before they start working, using heuristic algorithms that use machine learning technologies. In case of integration with a backup/disaster recovery system, the first damaged files will be immediately restored.
For those interested, the hash sums of the IoC files are:
CoronaVirus Ransomware: 3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3
Kpot infostealer: a08db3b44c713a96fe07e0bfc440ca9cf2e3d152a5d13a70d6102c15004c4240
Only registered users can participate in the survey. , you are welcome.
Have you ever experienced simultaneous encryption and data theft?
-
Present in several = 19,0%Yes4
-
Present in several = 42,9%No9
-
Present in several = 28,6%Gotta be more vigilant
-
Present in several = 9,5%Didn't even think about it
21 users voted. 5 users abstained.
Source: habr.com