CoronaVirus Ransomware Masquerades as WiseCleaner Installer

Many phishing campaigns have been detected that use the novel coronavirus as a lure and now a new ransomware variant called CoronaVirus has been detected and analyzed by MalwareHunterTeam. CoronaVirus ransomware is being distributed through a malicious website masquerading as software called WiseCleaner, a tool that can be used to clean up the registry and remove duplicate files and junk files from computers. WiseCleaner is legitimate software tool, but the website used in this campaign is fake.

It is currently unclear how traffic to the website is being generated. Campaigns such as this typically use malvertising for traffic – Malicious adverts on ad networks that direct users to malicious websites. These adverts are displayed on many legitimate websites that use third party ad networks to generate extra revenue.

If a website visitor tries to download WiseCleaner from the malicious website (The genuine website is wisecleaner.com), a file named WSHSetup.exe will be downloaded. Executing this file will download two malicious payloads: CoronaVirus ransomware and the Kpot Trojan. The Kpot Trojan is an information stealer that steals a variety of credentials, including Skype, Steam, Discord, VPN, email, and FTP passwords from a variety of different applications. The Kpot Trojan steals information such as banking credentials that have been saved in browsers and can also steal cryptowallets. The executable file also attempts to download other files, although currently only two files are downloaded. The intention may well be to download a cocktail of malware.

When CoronaVirus ransomware is downloaded and executed it encrypts a range of different file types. The encrypted files are renamed using the attacker’s email address, but the original file extension is retained. A ransom note is dropped in each folder where files are encrypted.

Interestingly, the ransom demand is very low. The attackers only charge 0.08 BTC – around $50 – for the keys to decrypt files. This suggests the ransomware component of the attack is not the main aim of the campaign which is to distribute the Kpot Trojan and potentially other malware payloads. CoronaVirus ransomware may just be a distraction.

There is currently no known decryptor for CoronaVirus ransomware and it is unclear whether the attackers can – or will – supply valid keys that allow encrypted files to be recovered.

Businesses can protect against attacks such as this by ensuring they backup all of their files regularly and store the backups offline. A web filtering solution should also be implemented to prevent malicious files from being downloaded. Web filters can be configured to prevent attempts by employees to visit malicious websites and also to block downloads of risky file types such as .exe files.

For more information on web filtering and to find out how TitanHQ’s web filtering solution, WebTitan, can help to protect your business from web-based cyberattacks, give the TitanHQ sales team a call today.