Researchers team have yet again discovered sites that are exploiting the current COVID-19 pandemic to target computer systems using a fraudulent “Corona Antivirus”.
A group of threat actors was discovered promoting counterfeit antivirus software to distribute a malware payload which can infect the systems with the BlackNET RAT, while adding it to a botnet.
• Two such sites have been unearthed where the software could be found: antivirus-covid19(.)site and corona-antivirus(.)com
• Once this discovery was reported, the first site was taken down while the second site remained active albeit without the malicious links and altered content.
An announcement from the site read “Download our AI Corona Antivirus for the best possible protection against the COVID-19 virus. Our scientists from Harvard University have been working on a special AI development to combat the virus using a mobile phone app.”
The threat actors also mention an update about adding VR sync capabilities to their existing product line which is nothing but a fraudulent claim. “We analyze the Coronavirus in our laboratory to keep the app always up to date! Soon Coronavirus VR sync would be available”
Should anyone fall for this, they would end up downloading an installer from antivirus-covid19(.)site/update.exe(link now down) that would deploy the BlackNET malware onto the systems if and when launched.
How can the BlackNet affect the systems?
A team of researchers has rated the BlackNET RAT as a “Skidware Malware”.
• It is capable of detecting if there is a running VM check on it
• It can sense the existence of commonly used analysis tools
• It is armed with a bot management feature that has features like restarting and shutting down an infected device, opening visible or hidden web pages, and uninstalling or updating the bot client.
The infecting capabilities of the Malware
Given BlackNet is programmed to add the infected device to a Botnet, the actors can further take control of an infected system and use it for the following:
• Launching a DDos attack
• Uploading files or other malicious content into the infected machine
• Executing malicious scripts
• Taking Screenshots
• Harvesting keystrokes using a built-in keylogger (also called as LimeLogger)
• Stealing bitcoin wallets
• Harvesting browser passwords and cookies
The top health organizations including WHO (World Health Organization) along with various government bodies across the globe have released warnings on how coronavirus themed phishing attacks have targeted individuals, government and health facilities from across the globe. organizations and individuals need to be vigilant about such ongoing attack campaigns.
To read more, please check eScan Blog
