Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Attackers use a new CoronaVirus Ransomware to cover Kpot Infostealer infections

Coronavirus-themed attacks continue to increase, experts observed new Coronavirus ransomware that acts as a cover for Kpot Infostealer. Last week, security experts from MalwareHunterTeam detected new ransomware dubbed CoronaVirus has been distributed through a malicious web site that was advertising a legitimate system optimization software and utilities from WiseCleaner. In this campaign, crooks are exploiting the interest […]

Coronavirus ransomware

Coronavirus-themed attacks continue to increase, experts observed new Coronavirus ransomware that acts as a cover for Kpot Infostealer.

Last week, security experts from MalwareHunterTeam detected new ransomware dubbed CoronaVirus has been distributed through a malicious web site that was advertising a legitimate system optimization software and utilities from WiseCleaner.

In this campaign, crooks are exploiting the interest in the Coronavirus (COVID-19) outbreak to deliver a couple of malware, the CoronaVirus Ransomware and the Kpot information-stealing Trojan.

According to MalwareHunterTeam researchers, the ransomware may actually be a wiper.

The website was distributing a file named WSHSetup.exe, it is the downloader for both the CoronaVirus Ransomware and the Kpot password-stealer.

Upon execution, the executable will attempt to download several files from a remote web site, at the time of the analysis, only a few of them were available. One of these files is, ‘file1.exe,’ which is the Kpot password-stealing Trojan.

KPOT Stealer is a “stealer” malware that focuses on exfiltrating account information and other data from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software.

The malware is also able to take a screenshot of the active desktop and also target wallets stored on the computer.

The second file downloaded by the initial dropper is ‘file2.exe’, is the CoronaVirus Ransomware, it is able to target a broad range of files.

The filename of the encrypted files will be changed to the attacker’s email address (i.e. test.jpg will be enamed to ‘coronaVi2022@protonmail.ch___1.jpg‘).

The ransomware drops in any folder that contain encrypted files, and on the desktop, a ransom note named CoronaVirus.txt.

Operators demand 0.008 (~$50) bitcoins to decrypt the data, the operators used the bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j bitcoin wallet that has yet to receive any payment.

The ransomware also renames the C: drive to CoronaVirus, and on reboot, it displays a lock screen with the ransom note.

“Based on the low ransom amount, static bitcoin address, and political message, it is strongly suspected that this ransomware is being used more as a cover for the Kpot infection rather than to generate actual ransom payments.” reads the analysis published by BleepingComputer.

BleepingComputer’s theory is that the ransomware component is being used to distract the user from realizing that the Kpot information-stealing Trojan was also installed to steal passwords, cookies, and cryptocurrency wallets.”

Additional technical details are reported in the analysis published by BleepingComputer.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CoronaVirus ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]