According to bleepingcomputer, a new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner.

With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan.

This new ransomware was discovered by MalwareHunterTeam and after further digging into the source of the file, BleepingComputer team have been able to determine how the threat actor plans on distributing the ransomware and possible clues that indicate it may be a wiper instead.

The downloads on this site are not active but have distributed a file called WSHSetup.exe that currently acts as a downloader for both the CoronaVirus Ransomware and a password-stealing Trojan called Kpot.

When the program is executed, it will attempt to download a variety of files from a remote web site. Currently, only the file1.exe and file2.exe are available for download, but you can see that it attempts to download a total of seven files.

The first file downloaded by the installer is ‘file1.exe’ and is the Kpot password-stealing Trojan.

When executed, it will attempt to steal cookies and login credentials from web browsers, messaging programs, VPNs, FTP, email accounts, gaming accounts such as Steam and Battle.net, and other services. The malware will also take a screenshot of the active desktop and attempt to steal cryptocurrency wallets stored on the infected computer.

This information is then uploaded to a remote site operated by the attackers. The second file, file2.exe, is the CoronaVirus Ransomware, which will be used to encrypt the files on the computer. When encrypting files, it will only target files that contain the following extensions:

READ
3.1 Million External Attacks On Cloud User Accounts In Q4 2020 - McAfee
.bak, .bat, .doc, .jpg, .jpe, .txt, .tex, .dbf, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .cpp, .pas, .asm, .rtf, .lic, .avi, .mov, .vbs, .erf, .epf, .mxl, .cfu, .mht, .bak, .old

Files that are encrypted will be renamed so that it continues to use the same extension, but the file name will be changed to the attacker’s email address. For example, test.jpg would be encrypted and renamed to ‘[email protected]___1.jpg’. In some cases, like below, it may prepend the email address multiple times to the file name.

In each folder that is encrypted and on the desktop, a ransom note named CoronaVirus.txt will be created that demands 0.008 (~$50) bitcoins to a hardcoded bitcoin address of bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j, which has not received any payments as of yet.

CoronaVirus Ransom Note
CoronaVirus Ransom Note

The ransomware will also rename the C: drive to CoronaVirus as shown below, which adds nothing other than the attacker trolling the victims.

Renamed C: Drive to Troll victim
Renamed C: Drive to Troll victim

On reboot, the ransomware will display a lock screen displaying the same text from the ransom note before Windows is loaded as seen below.

CoronaVirus Ransomware MBRLocker component
CoronaVirus Ransomware MBRLocker component

Head of SentinelLabs Vitali Kremez told BleepingComputer that this is being displayed through a modification of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager “BootExecute” Registry value that launches an executable from the %Temp% folder before loading any Windows services on boot.

Modified BootExecute Key
Modified BootExecute Key

After 45 minutes, the lock screen will switch to a slightly different message. You are still unable to enter any code, though, to get back into the system.

READ
Facebook Spent $23 Million On Mark Zuckerberg's Security In 2020
Changed MBRLocker screen
Changed MBRLocker screen

After 15 minutes, it boots back into Windows and upon login will display the CoronaVirus.txt ransom note. This is a strange ransomware and is still being analyzed for weaknesses. Based on the low ransom amount, static bitcoin address, and political message, it is strongly suspected that this ransomware is being used more as a cover for the Kpot infection rather than to generate actual ransom payments.

BleepingComputer’s theory is that the ransomware component is being used to distract the user from realizing that the Kpot information-stealing Trojan was also installed to steal passwords, cookies, and cryptocurrency wallets.

Anyone who has been infected with this attack should immediately use another computer to change all of their online passwords as they have now been compromised by the Kpot info-stealer.