These days, when the world is focused on getting a handle on the COVID-19 crisis, cybercriminals are taking advantage of our desire for information. We’re seeing all kinds of attacks leveraging the Coronavirus or COVID-19 name.
This CoronaVirus malware is a new type of ransomware that spreads through a phishing website, WiseCleaner[.]best. The website is supposed to resemble WiseCleaner.com, which provides free system utilities for Windows to improve the computer’s performance.
The further probe by Malware Hunter Team revealed that this ransomware is a wiper, and is distributed via a file titled WSHSetup.exe. It is the main downloader file for both CoronaVirus and Kpot. Upon its execution, the file downloads additional files from a remote website, one of which is the Kpot Trojan embedded into a file titled file1.exe.
Kpot can exfiltrate a variety of sensitive data from the device including web browser data, email, instant messengers, VPN, cryptocurrency, RDP, FTP, gaming software, and account information, apart from taking screenshots of the desktop and targeting crypto wallets stored on the device.
According to Bleeping Computer, the CoronaVirus is downloaded through another file titled file2.exe, which can target a different type of files. Its primary job is to encrypt data on the victim’s device and ask for ransom, which is considerably lower in this campaign in comparison to other ransomware campaigns as attackers are asking for 0.008BTC (USD 45). Moreover, it modifies the drive name as CoronaVirus.
[next]
The encrypted files’ names are replaced with the attacker’s email ID such as test.jpg will be renamed as ‘coronaVi2022@protonmail.ch___1.jpg.‘ The ransom note is displayed on the desktop in a file named CoronaVirus.txt.
It must be noted that the attackers’ Bitcoin wallet hasn’t received any payment yet, which hints upon the fact that this campaign is more about using the information provided by Kpot than receiving payments and CoronaVirus ransomware is just a distraction.
Prevention
Using the tools at our disposal, we tested the CoronaVirus ransomware against our Endpoint Privilege Manger. The good news is that it was 100% effective during our tests at preventing this malware from encrypting files. We also found that Endpoint Privilege Manager’s advanced credential theft protection capabilities can detect and block threats like the KPot infostealer and protect the user’s credentials. This proactive approach is not dependent on the ability to detect a new type of malware; instead, EPM treats all unknown applications as potentially suspicious and protects information accordingly.It’s also important to note that these attacks are based on social engineering, so basic prevention technique also apply here. Avoid clicking on unknown URLs or opening suspicious attachments. Make sure there are backups and the systems have the latest security updates.