“Corona-virus-Map”

Malware Analysis

Triox’s researchers have detected attackers leveraging COVID-19\Coronavirus outbreak to spread malware and steal information since the early days of the epidemic.

Someone decided to use such horror-like times to abuse peoples innocence by “providing” them with a trojanized application that displays a status map of the COVID-19 (Corona) virus world-wide spread and impact. In this blog, Uriel Kosayev, Triox’s Chief Technology Officer will share our latest research of “Corona-virus-Map” malware.

Executive Summary

The Corona-virus-Map malware deceives by its presence and from the first glimpse it actually looks like a legit application.

TRIOX Research

COVID-19\Coronavirus spread map

 

As you can understand, this is a trojanized application that displays a worldwide spread map of the COVID-19\Coronavirus to trick the user to believe in its legitimacy.

Triox’s research team found that the Corona-virus-Map malware is a middle-man dropper for an variant of AZORult stealer that steals data such as banking websites login credentials, payment card information, cryptocurrency, credit card details and more.

Malware Execution Kill Chain

TRIOX Research

TRIOX Research

Malware Execution Kill Chain

 

Corona-virus-Map.exe – The Dropper

The Corona-virus-Map.exe is an “AutoIt” compiled as we can see from the “AutoIt” signature (in red) and the file-ratio of 71.00% of the whole PE executable:

TRIOX Research

AutoIt compiled PE executable

 

The end result of the Corona-virus-Map.exe execution is the drop of a two files under the path of: %AppData%\Z11062600\ and execution of those two files, Corona.exe that will proceed with the malicious execution flow and the Corona-virus-Map.com.exe file that is used as the malware’s decoy:

TRIOX Research

Drop and execution of the two files

 

The 1st Corona.exe is actually a RAR-SFX archive file as can be seen below:

TRIOX Research

 

The archive contains two files, Corona.sfx.exe and Corona.bat that are extracted to the %TEMP% directory and furthermore executes the Corona.bat batch script:

TRIOX Research

Corona.sfx.exe content extraction and execution

 

Finally, the Corona.exe drops and executes the next file, the bin.exe file.

 

bin.exe – The Stealer

bin.exe is the actual stealer that seeks for cryptocurrency wallets, login credentials, browser cookies and more.

The bin.exe is a Borland Delphi compiled executable as we can see below:

TRIOX Research

bin.exe – A Borland Delphi compiled executable

 

In some aspects, the bin.exe file is based on somewhat same techniques and goals as the AZORult stealer malware family:

TRIOX Research

bin.exe VirusTotal detection results

 

From here we opened the bin.exe file to analyze its inner functionalities and behavior. First we noticed that Windows API functions like CreateMutexA, CerateFileW and more are actually initialized and executed to and from the BSS segment:

TRIOX Research

Windows API functions initialized and executed in the BSS segment

 

This interesting behavior occurs in the function under the main routine of bin.exe like can be seen in the stack trace:

TRIOX Research

sub_405668 (load_funcs_to_bss) stack trace

 

Then bin.exe proceeds to do more operations like decoding the Base64 string of the http://coronavirusstatus.space:

TRIOX Research

Base64 decoding mechanism under the sub_416DD4 function

 

TRIOX Research

Base64 encoded string of http://coronavirusstatus.space

 

Afterwards, bin.exe fingerprints our testing system by collecting system information and encodes them to URL Encoding format:

TRIOX Research

The EDX register contains fingerprint data

 

TRIOX Research

The EDX register value in runtime

 

From here, bin.exe opens a socket and sends two DNS queries to http://coronavirusstatus[.]space and checks its response, if there is a positive response from the server, the malware continues to steal its desired data and sends them to the server. Below we can see which data the bin.exe seeks for:

TRIOX Research

Cryptocurrency wallets stealing

 

TRIOX Research

Skype, Telegram and Steam credentials stealing

 

TRIOX Research

History and cookies data stealing using SQLite queries

 

But in our case, we received a DNS response of “No such name”:

TRIOX Research

 

We also tried to run a WHOIS query on the domain and the only thing that we got registered on a russian (RU) country:

TRIOX Research

 

Of course in this article we are less focused on the threat intelligence aspect so we don’t go into further details.

Next to the bin.exe process, there is another process called Build.exe that creates a scheduled task that points to a file called Windows.Globalization.Fontgroups.exe:

TRIOX Research

Persistent schedule task

 

TRIOX Research

Persistent schedule task action

 

The Windows.Globalization.Fontgroups.exe process further attempts to extract cookies from browsers like Chrome, Firefox, Edge and Internet Explorer, zips the data by creating another process called Windows.Globalization.Fontgroups.module.exe, saving it under %AppData%\amd64_netfx4-system.runti..dowsruntime.ui.xaml and also executing Attrib.exe with the +h +s parameters to hide the folder’s presence.

 

Conclusions

It is sad to see that the ones behind those attacks are actually abusing our worldwide critical situation to steal people’s information and earnings.

We at “TRIOX – Intelligent Security” are here to help our customers with our DFIR (Digital Forensics – Incident Response) and remediation services by bringing our knowledge from both red and blue point of views.

 

Indicators of Compromise

IP Addresses DNS Queries
99.86.3.78 coronavirusstatus.space
99.86.3.64 services9.arcgis.com
99.86.3.122 cdn.arcgis.com
99.86.3.67 basemaps.arcgis.com
99.86.3.74 Tiles.arcgis.com
99.86.3.23
99.86.3.107
99.86.3.89
99.86.3.118
99.86.3.48
99.86.3.120
99.86.3.114
143.204.202.34
143.204.202.72
143.204.202.73
143.204.202.48
51.68.178.28:65233

 

Hashes
Corona-virus-Map.exe:

2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307

bin.exe:

fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8

Corona.exe (1st):

0B3E7FAA3AD28853BB2B2EF188B310A67663A96544076CD71C32AC088F9AF74D

Corona.exe (2nd):

13C0165703482DD521E1C1185838A6A12ED5E980E7951A130444CF2FEED1102E

Corona.bat:

0CD1E499799E4D98F1CB76DF08FF7A7F441216FF713DFA97CB6691C68C962CF8

Corona.sfx.exe:

148520C746AEE00D7330E8C639A0BCD576C9A431ACB197E36F27529F5E897FB4

Windows.Globalization.Fontgroups.exe: sha256,126569286F8A4CAEEABA372C0BDBA93A9B0639BEAAD9C250B8223F8ECC1E8040
Build.exe:

126569286f8a4caeeaba372c0bdba93a9b0639beaad9c250b8223f8ecc1e8040

Corona-virus-Map.com.exe:

203C7E843936469ECF0F5DEC989D690B0C770F803E46062AD0A9885A1105A2B8

 

Contact us for more details about our advanced professional services: