Infection risk on the net – Corona malware, part 2: Upcycling old hats


Since the beginning of the corona pandemic, cyber gangsters have been trying to benefit from the current situation in a variety of ways. They are not always particularly creative or sophisticated. Instead, many of them seem to believe that certain buzzwords in ransomware blackmail messages, for example, are enough to increase their victims’ fear – and thus increase their willingness to pay ransom money.

We took a closer look at some of these old hats, revamped with corona allusions.

A new ransomware family with the less imaginative name Corona Virus makes use of various allusions to the virus. For example, it renames drives after encryption to “CoronaVirus”, prefixes the name of encrypted files with “[email protected]” and announces in the ransom note (CoronaVirus.txt): “CORONAVIRUS is there”. The encryption algorithm seems to be working so that victims cannot get their data back without backup.

It is unclear whether the makers expect higher incoming payments due to the “shock effect” or simply have a very strange sense of humor. Your ransomware, which according to an analysis by the team at is based on code from 2016, does not bring any other innovations worth mentioning. Until recently, the distribution was ironically via a copy of the website for the data recovery tool “Wise Data Recovery”, which attached the top-level domain “.best” instead of “.com”. Since this is no longer accessible, the distribution channel may have changed.

Those affected will find further details about the malware in the analysis, which, incidentally, has already been recorded by the ransomware detection service ID Ransomware.

The file description of current Emotet and Trickbot samples contains text strings from Coronavirus news.

(Image: Bleeping Computer)

The notorious (Windows) malware team from Emotet, Trickbot and the ransomware Ryuk, according to observations by security software manufacturer Malware Hunter and the IT news website Bleeping Computer, use Corona news to achieve the opposite effect: they do not want to alarm but distract yourself from news articles with text strings. The malware developers place the strings in the file description of the EXE files – probably with the aim of “confusing” machine learning-based malware detection mechanisms that evaluate static file information.

Basically, this is also old hat: The team from security software manufacturer Malware Hunter pointed out that the text strings had to be adjusted accordingly in February. So far, the malicious code developers had apparently used text strings from reports on the impeachment procedure against Trump; the pest is now up-to-date in terms of new technology.

Source link


Please enter your comment!
Please enter your name here