By Uriel Kosayev (@MalFuzzer)
Someone decided to use such horror-like times to abuse people’s innocence by “providing” them with a trojanized application that displays a status map of the COVID-19 (Corona) virus worldwide spread and impact. In this blog, we will share our latest research on “Corona-virus-Map” malware.
Executive Summary
The Corona-virus-Map malware deceives by its presence and from the first glimpse, it actually looks like a legit application.
COVID-19\Coronavirus spread map
As you can understand, this is a trojanized application that displays a worldwide spread map of the COVID-19\Coronavirus to trick the user to believe in its legitimacy.
We that the Corona-virus-Map malware is a middle-man dropper for a variant of AZORult stealer that steals data such as banking websites login credentials, payment card information, cryptocurrency, credit card details, and more.
Malware Execution Kill Chain
Malware Execution Kill Chain
Corona-virus-Map.exe – The Dropper
The Corona-virus-Map.exe is an “AutoIt” compiled as we can see from the “AutoIt” signature (in red) and the file-ratio of 71.00% of the whole PE executable:
AutoIt compiled PE executable
The end result of the Corona-virus-Map.exe execution is the drop of two files under the path of %AppData%\Z11062600\ and execution of those two files, Corona.exe that will proceed with the malicious execution flow and the Corona-virus-Map.com.exe file that is used as the malware’s decoy:
Drop and execution of the two files
The 1st Corona.exe is actually a RAR-SFX archive file as can be seen below:
Corona.exe RAR-SFX archive file
The archive contains two files, Corona.sfx.exe and Corona.bat that are extracted to the %TEMP% directory and furthermore executes the Corona.bat batch script:
Corona.sfx.exe content extraction and execution
Finally, the Corona.exe drops and executes the next file, the bin.exe file.
bin.exe – The Stealer
bin.exe is the actual stealer that seeks cryptocurrency wallets, login credentials, browser cookies, and more.
The bin.exe is a Borland Delphi compiled executable as we can see below:
bin.exe – A Borland Delphi compiled executable
In some aspects, the bin.exe file is based on somewhat the same techniques and goals as the AZORult stealer malware family:
bin.exe VirusTotal detection results
From here we opened the bin.exe file to analyze its inner functionalities and behavior. First, we noticed that Windows API functions like CreateMutexA, CerateFileW, and more are initialized and executed to and from the BSS segment:
Windows API functions initialized and executed in the BSS segment
This interesting behavior occurs in the function under the main routine of bin.exe like can be seen in the stack trace:
sub_405668 (load_funcs_to_bss) stack trace
Then bin.exe proceeds to do more operations like decoding the Base64 string of the http://coronavirusstatus.space:
Base64 decoding mechanism under the sub_416DD4 function
Base64 encoded string of http://coronavirusstatus.space
Afterward, bin.exe fingerprints our testing system by collecting system information and encodes them to URL Encoding format:
The EDX register contains fingerprint data
The EDX register value in runtime
From here, bin.exe opens a socket and sends two DNS queries to http://coronavirusstatus[.]space and checks its response, if there is a positive response from the server, the malware continues to steal its desired data and sends them to the server. Below we can see which data the bin.exe seeks for:
Cryptocurrency wallets stealing
Skype, Telegram, and Steam credentials stealing
History and cookies data-stealing using SQLite queries
But in our case, we received a DNS response of “No such name”:
No such name DNS response
We also tried to run a WHOIS query on the domain and the only thing that we got registered on a Russian (RU) country:
Registered Russian Domain
Of course in this article, we are less focused on the threat intelligence aspect so we don’t go into further details.
Next to the bin.exe process, there is another process called Build.exe that creates a scheduled task that points to a file called Windows.Globalization.Fontgroups.exe:
Persistent schedule task
Persistent scheduled task action
The Windows.Globalization.Fontgroups.exe process further attempts to extract cookies from browsers like Chrome, Firefox, Edge, and Internet Explorer, zips the data by creating another process called Windows.Globalization.Fontgroups.module.exe, saving it under %AppData%\amd64_netfx4-system.runti..dowsruntime.ui.xaml and also executing Attrib.exe with the +h +s parameters to hide the folder’s presence.
Conclusions
It is sad to see that the ones behind those attacks are abusing our worldwide critical situation to steal people’s information and earnings. We at MalwareAnalysis.co are here to help you by bringing our knowledge to help the world to be more secure.
Indicators of Compromise
IP Addresses | DNS Queries |
99.86.3.78 | coronavirusstatus.space |
99.86.3.64 | services9.arcgis.com |
99.86.3.122 | cdn.arcgis.com |
99.86.3.67 | basemaps.arcgis.com |
99.86.3.74 | Tiles.arcgis.com |
99.86.3.23 | |
99.86.3.107 | |
99.86.3.89 | |
99.86.3.118 | |
99.86.3.48 | |
99.86.3.120 | |
99.86.3.114 | |
143.204.202.34 | |
143.204.202.72 | |
143.204.202.73 | |
143.204.202.48 | |
51.68.178.28:65233 |
Hashes |
Corona-virus-Map.exe:
2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307 |
bin.exe:
fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8 |
Corona.exe (1st):
0B3E7FAA3AD28853BB2B2EF188B310A67663A96544076CD71C32AC088F9AF74D |
Corona.exe (2nd):
13C0165703482DD521E1C1185838A6A12ED5E980E7951A130444CF2FEED1102E |
Corona.bat:
0CD1E499799E4D98F1CB76DF08FF7A7F441216FF713DFA97CB6691C68C962CF8 |
Corona.sfx.exe:
148520C746AEE00D7330E8C639A0BCD576C9A431ACB197E36F27529F5E897FB4 |
Windows.Globalization.Fontgroups.exe: sha256,126569286F8A4CAEEABA372C0BDBA93A9B0639BEAAD9C250B8223F8ECC1E8040 |
Build.exe:
126569286f8a4caeeaba372c0bdba93a9b0639beaad9c250b8223f8ecc1e8040 |
Corona-virus-Map.com.exe:
203C7E843936469ECF0F5DEC989D690B0C770F803E46062AD0A9885A1105A2B8 |