Coronavirus map used to spread malware

Careful folks – don’t get infected.

Graham Cluley @gcluley

Coronavirus map used to spread malware

Updated With concern about the Covid-19 Coronavirus reaching fever pitch in many countries, many people may be keen to find information online about whether there is an outbreak in their country, and how it compares to the rest of the world.

Well, be careful about which websites you trust.

Not only because there may well be misinformation out there, but also because there might also be malware.

Email Sign up to our newsletterSign up to Graham Cluley’s newsletter - "GCHQ"
Security news, advice, and tips.

Security researchers at Malwarebytes say that they have found malicious code hiding behind a website that claimed to show an up-to-date global heatmap of Coronavirus reports.

Coronavirus website
Coronavirus map website containing malicious code. Source: Malwarebytes

Malwarebytes is identifying the malicious code, which skims for passwords and payment card details, as a variant of the AzorUlt spyware. The malicious site appears to have copied the look-and-feel of a legitimate Coronavirus map from Johns Hopkins University.

So far the researchers have not seen any indication that the website containing the malicious code has been promoted through an email campaign, suggesting that perhaps those behind it were hoping users would stumble upon it while scouring the web for information.

The World Health Organisation (WHO) is publishing information on its website about the Covid-19 Coronavirus outbreak.

Update 10 March 2019: Researchers at PC Risk have shared some more details about the threat which expand upon the original Malwarebytes blog:

Contrary to its name, Corona-Virus-Map.com is not an address of a website, it is the name of a malicious program. It is classified as a trojan, or more specifically a “backdoor” trojan. This type of malware is designed to cause chain infections, in other words – to stealthily download/install additional malicious programs. Corona-Virus-Map.com is presented as a piece of software allowing users to view the progress/spread of the Corona virus epidemic in real time. Instead, this trojan proliferates the AZORult malware.

Be careful what programs you install and run on your computers folks… or you might be putting yourself at risk of a nasty infection.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

12 Replies to “Coronavirus map used to spread malware”

  1. Incomplete. Are you saying this is not a website from Johns Hopkins or that Johns Hopkins is distributing malware intentionally. Many articles are promoting this site as a legit COVID dashboard.

    1. From the look of the screenshot, the website that Malwarebytes is warning about is at corona-virus-map [dot] com. That domain was registered at the beginning of February 2020 via GoDaddy, and is set up to use nameservers based in Russia.

      The Johns Hopkins map can be viewed online at https://www.arcgis.com/apps/opsdashboard/index.html#/bda7594740fd40299423467b48e9ecf6

      My assumption is that the dodgy site is scraping information from the Johns Hopkins map.

        1. It's almost like the information was summarized in the screenshot and paragraph following it… :D

    2. The article outright states that it appears to be copying the look and feel of John Hopkins hoping people would find it and think it legit.

  2. There's some misconception of what's happening here.

    The malware is not itself a website. It's a console app installed via an executable. It does two things:

    A. Launches a webbrowser control that points to the (legitimate) Johns Hopkins Corona Virus Dashboard

    B. Then, using the Dashboard as a decoy, it installs malware and reports back to a C&C server.

    //Don't run executables from untrusted sources

  3. Is https://www.arcgis.com/apps/opsdashboard/index.html#/bda7594740fd40299423467b48e9ecf6 the BAD URL???

  4. Not sure how this is a hard concept to grasp… stop playing the guessing game with random links and just go directly to the Johns Hopkins University website (https://www.jhu.edu/). There you will find multiple banners and links directing you to the real "map".

    1. You're ignoring something critical here. Actually three things.

      (1) Humans are irrational at the best of times.

      (2) People are panicking and fear – just like hate, anger and love – make the brain stop working properly.

      (3) Desperation might as well also be added to that list of things. When desperate people do not reason things through as much as they might otherwise.

      Make that four things.

      Many people are not very good in emergencies and this is EXACTLY the psychology behind this campaign. It's not surprising at all. What is surprising is there isn't more of it. What would be even more surprising is if there was none of this. This is classical and very basic psychology at play.

      So in short it's not nearly as simple as you make it. Unfortunately.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.