Summary

As global awareness of a Coronavirus pandemic gradually gives way to full out panic, and as governments begin ramping up their efforts to combat the virus and protect its citizens, global news agencies find themselves racing to answer the public’s demand for accurate information about new Corona related infections, deaths, transmissions, etc.

This demand creates a vulnerability that malicious actors have quickly taken advantage of by spreading malware disguised as a “Coronavirus map”. Reason Labs’ cybersecurity researcher, Shai Alfasi, found and analyzed this malware that had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser. Attackers can use this information for many other operations as well, such as selling it on the deep web or for gaining access to bank accounts or social media.

The new malware activates a strain of malicious software known as AZORult. AZORult is an information stealer and was first discovered in 2016. It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more. It can also download additional malware onto infected machines. AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. There is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections.

As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future.

Sample Analyzed

VT:https://www.virustotal.com/gui/file/2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307/detection

File Name Corona-virus-Map.com.exe

MD5 73da2c02c6f8bfd4662dc84820dcd983

SHA-1 949b69bf87515ad8945ce9a79f68f8b788c0ae39

SHA-256 2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307

File Size 3.26 MB (3421696 bytes)

File Type Win32 EXE

First Submission 2020-03-02 16:50:25

Short Summary

The malware has a GUI that looks very good and convincing. When running the malware, the GUI window loads information, which pools from the web.

The malware uses a few layers of packing as well as a multi-sub-process technique to make research more difficult. The malware also uses an information-stealing technique, which was first seen in 2016 and related to the “AZORult” malware family. To make sure the malware can persist and keep operating, it uses the “Task Scheduler”.

Indicators of Compromise:

Created files:

Corona-virus-Map.com.exe C:\Users\%username%\AppData\Local\Temp\aut9BDA.tmp Corona-virus-Map.com.exe C:\Users\%username%\AppData\Roaming\Z11062600\Corona[.]exe Corona-virus-Map.com.exe C:\Users\%username%\AppData\Local\Temp\aut9DFE.tmp Corona-virus-Map.com.exe C:\Users\%username%\AppData\Roaming\Z11062600\Corona-virus-Map.com[.]exe Corona.exe C:\Users\%username%\AppData\Local\Temp\RarSFX0\Corona[.]bat Corona.exe C:\Users\%username%\AppData\Local\Temp\RarSFX0\Corona.sfx[.]exe Corona.exe C:\Users\%username%\AppData\Local\Temp\autA83E.tmp Corona.exe C:\Users\%username%\AppData\Roaming\Z58538177\bin[.]exe Corona.exe C:\Users\%username%\AppData\Local\Temp\autAAB0.tmp Corona.exe C:\Users\%username%\AppData\Roaming\Z58538177\Build[.]exe Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dl Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dl Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-c Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\freebl3.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\mozglue.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\msvcp140.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda

ss3.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda

ssdbm3.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\softokn3.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\ucrtbase.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\vcruntime140.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda

ss3.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda

ss3.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\mozglue.dll Bin.exe C:\Users\%username%\AppData\Local\Temp\2fda\vcruntime140.dll Build.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983 Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\Local\Temp\autB628.tmp Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.sqlite3.module.dll.2 Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.sqlite3.module.dll Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\2KY2PE8H\getMe[1].json Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1 Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\1OZ94YX5\json[1].json Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Information.txt Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\Local\Temp\autCC51.tmp Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe.2 Windows.Globalization.Fontgroups.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe Windows.Globalization.Fontgroups.module.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z Windows.Globalization.Fontgroups.module.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z Windows.Globalization.Fontgroups.module.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z Windows.Globalization.Fontgroups.module.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z Windows.Globalization.Fontgroups.module.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z Windows.Globalization.Fontgroups.module.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z Windows.Globalization.Fontgroups.module.exe C:\Users\%username%\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z

Modified registers

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntrane

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix

HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-3887374624-1885671809-3229943349-1001\\Device\HarddiskVoume4\Windows\SysWOW64\cmd.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475

HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList

HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList

HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList

HKCU\Software\Classes\Local Settings\MuiCache\56\52C64B7E\LanguageList

Mutexes Created:

\Sessions\1\BaseNamedObjects\A4B6CE24-E72D679B-BE9A182F-D7CE305A-FB62BB342

\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208

\Sessions\1\BaseNamedObjects\417087542ENU_FE97A6DDE921C7562535

\Sessions\1\BaseNamedObjects\MSIMGSIZECacheMutex

\Sessions\1\BaseNamedObjects\GdiplusFontCacheFileV1

\Sessions\1\BaseNamedObjects\Global\CPFATE_2304_v4.0.30319

\Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!roaming!microsoft!windows!ietldcache!

\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_LOW!_

\Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!

\Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!roaming!microsoft!windows!cookies!low!

\Sessions\1\BaseNamedObjects\Local\c:!users!user!appdata!local!microsoft!windows!history!low!history.ie5!

\Sessions\1\BaseNamedObjects\A4B6CE24-E72D679B-BE9A182F-DACC8B0F-7324685F3

\Sessions\1\BaseNamedObjects\417087542ENU_687FE9797AC054582535

\Sessions\1\BaseNamedObjects\Global\CPFATE_1308_v4.0.30319

Network communication

Process Ip Address Url Bin.exe 104.24.103.192:80 Coronavirusstatus[.]space/index.php Windows.Globalization.Fontgroups.exe 149.154.167.220:443 api.telegram.org Windows.Globalization.Fontgroups.exe 104.26.9.44:443 ipapi.co/json Windows.Globalization.Fontgroups.exe 93.184.220.29:80 ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D Corona-virus-Map.com.exe 18.205.183.153:443 gisanddata.maps.arcgis[.]com Corona-virus-Map.com.exe 54.192.87.49:443 https://js.arcgis.com/3.31/dijit/form/_ListBase[.]js Corona-virus-Map.com.exe 54.192.87.49:443 https://js.arcgis.com/3.31/dijit/form/MappedTextBox[.]js

Execution Flow Summary

NOTE: js.arcgis.com is safe to visit.

Full analysis

After receiving the sample, I started first with dynamic analysis, executed the file “CoronaMap.exe”[PID 4280] and opened up a window that showed the following “CoronaVirus” statistics:

Running procmon at the same time revealed a multi-sub process that was created by “CoronaMap.exe”[PID 4280] which is the root process.

“CoronaMap.exe”[PID 4280] starts by creating another binary called “Corona.exe”[PID 7032]. When analyzing this file, it was easy to see that it was an archive, which means that it probably contains execution commands that can execute it.

Simply by using Winrar to view the archive content, I found two files inside it and they were in self-extracted mode (SFX). The two files were “Corona.bat” and “Corona.sfx.exe”, which we can also see in the process tree in procmon. Upon opening the “Corona.bat” file, we could see that “Corona.sfx.exe” was extracted with a hardcoded password (3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r) to the “C:\windows\system32” directory:

The “Corona.sfx.exe”[PID 3552] is an extracting process called “Corona.exe”[PID 9452]. This process creates more processes, but we will be focusing on only three of them: “bin.exe”[PID 8604], “timeout.exe”[PID 5680] And “Build.exe”[PID 6348]

As I started to analyze the“bin.exe”[PID 8604] with Ollydbg, I was able to see that it was writing some Dll’s, one of which was known to me from different actors: the “nss3.dll” :

Going deeper inside with Ollydbg, I saw static loading of APIs related to “nss3.dll”. The code utilized the API functions within the “nss3.dll” to decrypt saved passwords and create output data.

This technique is pretty common. I came across it once before, and after doing some digging around, discovered that this information-stealing tactic came from a malware family called “AZORult”, which was first seen in the wild in 2016. Its behavior is as follows: When the victim gets infected, the malware extracts data and creates a unique ID of the victim’s workstation. It then applies XOR encryption using the generated ID. This ID is used to tag the workstation in order to start C2 communication. The C2 server responds with configuration data, which contains target web browser names, web browser path information, API names, sqlite3 queries, and legitimate DLLs.

Using Ollydbg and keeping a trace on the API calls from the loaded “nss3.dll”, I was able to see the following calls:

Sqlite3_open

Sqlite3_close

Sqlite3_prepare_v2

Sqlite3_step

sqlite3_column_text

Sqlite3_column_bytes

Sqlite3_finalize

NSS_Init

PK11_GetInternalKeySlot

PK11_Authenticate

PK11SDR_Decrypt

NSS_Shutdown

PK11_FreeSlot

The password-stealing operation process is simple because the malware steals the “login data” from the installed browser and moves it to “C:\Windows\Temp”. The “login data” is based on Sqlite3 DB structure. To read the date the malware queries the SQLite data in order to extract the information. Once the extraction is over, the malware creates a file called “PasswordList.txt”, which holds all the information.

As I kept on digging in the code of “bin.exe”[PID 8604], I could see that the malware is also looking for different cryptocurrency wallets such as “Electrum” and “Ethereum”:

Also looking for “Telegram Desktop”:

Searches for “Steam” account:

Takes a screenshot and saves it as “scr.jpg”:

Resolve the public IP address of the victim machine and save it as “ip.txt”:

Collecting information about the system such as the OS system, the architecture, the hostname, the username, etc:

As I continued with “bin.exe”[PID 8604], I found that the malware communicates with its C2 server using the address of 104.24.103.192:80, which we can resolve to http://coronavirusstatus[.]space/. By analyzing the traffic, I found that the “bin.exe”[PID 8604] uses “chunked” transfer encoding, which is also something we see in the wild. When the Content-Length value is smaller than the chunked payload size, the origin server will check the Content-Length header to determine the length of the request, but there will be some leftover payload that will be concatenated to the next incoming request. This is how the malware sends out the information it steals:

Moving on to the “timeout.exe”[PID 5680], it was easy to understand that the malware author used it in order to create a delay execution. This is also a pretty common technique that is used to trick AVs.

As I started analyzing the “Build.exe”[PID 6348], I could see a “Loadlibrary” of “taskschd.dll”, which I was already familiar with this in case of persistence:

The “Build.exe”[PID 6348] creates a subprocess “Windows.Globalization.Fontgroups.exe”[PID 3848] which the persistence runs.

When analyzing the “Windows.Globalization.Fontgroups.exe”[PID 3848], I could see that it was packed with UPX, which is pretty easy to unpack.

After unpacking, I noticed that there was another layer of packing. This time, it was with AutoIT. Moving forward with the analysis, I found that this binary is responsible for enumerating the OS in order to find new browsers and resources that it can steal information from:

The “Windows.Globalization.Fontgroups.exe”[PID 3848] creates a process called “Windows.Globalization.Fontgroups.module.exe”[PID 3848] which is responsible for creating the zip file with all the information “bin.exe”[PID 8604] sends out:

C:\Users\shy32\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_64B5614D0F4B35423983.7z

The “Windows.Globalization.Fontgroups.exe”[PID 3848] uses “Attrib.exe”[PID 8832] in order to hide this directory:

Prevention and Remediation

Remediation

Download the Reason Antivirus software.

Doubleclick on the installed executable and follow the prompts to complete the installation.

Once the installation is complete, click ‘Finish’.

Definitions and security patches will automatically be updated.

Once the process is complete, select the ‘Scan Now’ button to start your scan.

When the scan is finished, select all the threats that were detected and then click on ‘Remove selected threats’. When prompted, restart your computer.

MetaData

hashes

2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307

0b3e7faa3ad28853bb2b2ef188b310a67663a96544076cd71c32ac088f9af74d

13c0165703482dd521e1c1185838a6a12ed5e980e7951a130444cf2feed1102e

Fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8

126569286f8a4caeeaba372c0bdba93a9b0639beaad9c250b8223f8ecc1e8040

203c7e843936469ecf0f5dec989d690b0c770f803e46062ad0a9885a1105a2b8

***

Note

***The original Johns Hopkins University or ArcGIS coronavirus map hosted online is not infected or backdoored in any way and are safe to visit.

About Reason Labs

Reason Labs is the threat research arm of Reason Cybersecurity. We play a leading role in researching and exploring cyber threats and advancing the state of cybersecurity intelligence. Reason Labs collects raw data about existing and emerging threats and analyzes that data to deliver actionable insights in real-time.

We leverage the threat intelligence we gather from always-on active sensors, in order to continuously analyze, organize, and add context to evolving cyber activities, attacks and threats. This powerful intelligence network leaves Reason prepared to meet threats head-on.

For more information reach out at shai@reasonsecurity.com

Offline version of the analysis can be found here