Hackers Use Fake “Corona Antivirus” Software to Distribute Malware Backdoor

Hackers Use Fake “Corona Antivirus” Software to Distribute Malware Backdoor

  • Security experts have reported two such sites where this software could be found.
  • It comes with bot management features including restarting and shutting down an infected device, updating bot client, and more.

Researchers have discovered sites that are exploiting the current COVID-19 pandemic to target computer systems using a fake "Corona Antivirus".

What happened?
A group of hackers was found promoting a fake antivirus software to distribute a malware payload which could infect the systems with the BlackNET RAT, while adding it to a botnet.

  • Security experts have reported two such sites where this software could be found: antivirus-covid19[.]site and corona-antivirus[.]com.
  • Upon reporting, the first site was taken down. The other one, however, remained active with altered contents and malicious links being taken off.

A blurb from the site read, "Download our AI Corona Antivirus for the best possible protection against the Corona COVID-19 virus. Our scientists from Harvard University have been working on a special AI development to combat the virus using a mobile phone app.”

The malware actors also mentioned an update about adding VR sync capabilities to their fake products. "We analyze the Coronavirus in our laboratory to keep the app always up to date! Soon a corona antivirus VR synchronization will be implemented!"

If anyone would fall this, they would end up downloading an installer from antivirus-covid19[.]site/update.exe (link is now down) that will deploy the BlackNET malware onto their systems if launched.

How BlackNET can affect?
The BlackNET RAT was rated as 'skidware malware' by the team of researchers at MalwareHunterTeam.

  • It can detect if there’s a running VM check on it.
  • It can sense the presence of commonly used analysis tools.
  • It comes with bot management features including restarting and shutting down an infected device, opening visible or hidden web pages, and uninstalling or updating the bot client.

Malware’s infecting capabilities
Since BlackNET is programmed to add the infected device to a botnet, the actors can further take control of an infected system and use it for:

  • Launching DDoS attacks
  • Uploading files onto the compromised machine
  • Executing malicious scripts
  • Taking screenshots
  • Harvesting keystrokes using a built-in keylogger (also called LimeLogger)
  • Stealing bitcoin wallets
  • Harvesting browser cookies and passwords

Final thoughts
Top health and security organizations, including the World Health Organization (WHO), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Federal Trade Commission (FTC), have all released repeated warnings on how Coronavirus-themed phishing attacks have been targeting individuals, government and health facilities from countries around the globe. Organizations need to be vigilant about such ongoing attack campaigns.