Last week, security experts from MalwareHunterTeam detected new ransomware dubbed CoronaVirus has been distributed through a malicious web site that was advertising a legitimate system optimization software and utilities from WiseCleaner.
In this campaign, crooks are exploiting the interest in the Coronavirus (COVID-19) outbreak to deliver a couple of malware, the CoronaVirus Ransomware and the Kpot information-stealing Trojan.
According to MalwareHunterTeam researchers, the ransomware may actually be a wiper.
Upon execution, the executable will attempt to download several files from a remote web site, at the time of the analysis, only a few of them were available. One of these files is, ‘file1.exe,’ which is the
KPOT Stealer is a “stealer” malware that focuses on exfiltrating account information and other data from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software.
The malware is also able to take a screenshot of the active desktop and also target wallets stored on the computer.
The second file downloaded by the initial dropper is ‘file2.exe’, is the
The filename of the encrypted files will be changed to the attacker’s email address (i.e. test.jpg will be
The ransomware drops in any folder that contain encrypted files, and on the desktop, a ransom note named CoronaVirus.txt.
Operators demand 0.008 (~$50) bitcoins to decrypt the data, the operators used the bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j
The ransomware also renames the C: drive to
“Based on the low ransom amount, static
Additional technical details are reported in the analysis published by BleepingComputer.