The Health Sector Cybersecurity Coordination Center (HC3) has published a new alert. Please distribute through your proper channels, as appropriate.
A malicious website pretending to be the live map for Coronavirus COVID-19 Global Cases by Johns Hopkins University is circulating on the internet waiting for unwitting internet users to visit the website (corona-virus-map[dot]com). Visiting the website infects the user with the AZORult trojan, an information stealing program which can exfiltrate a variety of sensitive data. It is likely being spread via infected email attachments, malicious online advertisements, and social engineering. Furthermore, anyone searching the internet for a coronavirus map could unwittingly navigate to this malicious website.
Threat Details
A sample of the malware being deployed by “corona-virus-map[dot]com” was submitted, analyzed, and received an extremely malicious threat score of 100/100 with antivirus detection at 76%. This sample was labeled by Hybrid-Analysis as a Trojan.
Recommendations
End-users should be warned about this cybersecurity risk and security teams should blacklist any indicators associated with this specific threat. Indicators of compromise and analysis may be found here: https://blog.reasonsecurity.com/2020/03/09/covid-19-info-stealer-the-map-of-threats-threat-analysis-report/
Please contact COVID-19@cynergistek.com if you have any questions or concerns on how this could affect you.