Monday, January 25, 13:56
Home security The new CoronaVirus Ransomware acts as a cover for the Kpot Trojan

The new CoronaVirus Ransomware acts as a cover for the Kpot Trojan

A new ransomware called CoronaVirus has been distributed through a fake website pretending to promote WiseCleaner system optimization software.

With growing fears and concern over the coronavirus (Corovavirus-COVID-19) epidemic, an attacker has launched a campaign to distribute a cocktail of malware consisting of CoronaVirus Ransomware and Kpot Trojan.

This new ransomware was discovered by MalwareHunterTeam and after further examination at the source of the file, it was determined how the malware plans to distribute the ransomware and possible indications that it may in fact be a wiper.

CoronaVirus Ransomware spread through the fake WiseCleaner website

To distribute the malware, the intruders created a website that mimics the legitimate website of

CoronaVirus RansomwareDussman Group-leak data-ransomware attack

Downloads on this website are not active, but they have distributed a file called WSHSetup.exe that works as a downloader for both CoronaVirus Ransomware and Trojan called Kpot.

When the program runs, it will try to download various files from a remote website. Currently, only file1.exe and file2.exe are available for download, but you can see that it is trying to download a total of seven files.

The first file downloaded by the installer is 'file1.exe' and it is the Trojan that steals the Kpot password.

When executed, it will attempt to steal them cookies and login credentials from web browsers, messaging, VPN, FTP, email accounts, game accounts such as Steam and and other services. The malware will also take a screenshot of the active desktop and try to steal wallets cryptocurrency stored on the infected computer.

This information is then uploaded to a remote site managed by the intruders.

The second file, file2.exe, is CoronaVirus Ransomware, which will be used to encrypt the files in computer.

Encrypted files will be renamed so that they continue to use the same extension, but the file name will change to the attacker's email. For example, test.jpg will be encrypted and renamed to 'coronaVi2022@protonmail.ch___1.jpg'.

In some cases, as below, email may default to the file name multiple times.

In every folder that is encrypted and on the desktop, a ransom note called CoronaVirus.txt will be created that requires 0.008 (~ $ 50) bitcoins at a hardcoded bitcoin address of bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j, which has not received any payments yet.

The ransomware will also rename C: Drive to CoronaVirus.

On reboot, ransomware will display a lock screen that displays the same ransom note text before Windows loads.

SentinelLabs CEO Vitali Kremez told BleepingComputer that this appears through a modification of the "BootExecute" Manager HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session that starts an executable from the% Temp% service before loading any Windows at startup.

After 45 minutes, the lock screen will display a slightly different message. However, you still cannot enter any code to return to system.

After 15 minutes, it restarts Windows and when it logs on it will display the ransom note CoronaVirus.txt.

This is a strange ransomware and is still being analyzed for weaknesses.

Given the low amount of ransom, static bitcoin address and message, there is a strong suspicion that this ransomware is used more as a cover for Kpot infection rather than to accumulate money.

BleepingComputer's theory is that ransomware is used to distract the user from realizing that the Kpot Trojan is installed to steal passwords, cookies and cryptocurrency wallets.

Anyone infected with this attack should immediately use another computer to immediately change all passwords.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Sony may resurrect the Xperia Compact to compete with Apple

Have you seen the iPhone 12 mini and wish there was an Android equivalent to this small but powerful smartphone? Can the desire ...

Artificial intelligence (AI) may one day be used against us

AI algorithms offer us the news we read, the ads we see, and in some cases even drive cars ...

Intel: Internal error caused data leak

The famous computer chip manufacturer, Intel Corp., confirmed that an internal error resulted in a data leak, which ...

SonicWall: Violated via zero-day vulnerability in its VPN products

SonicWall warns its customers about the exploitation of a zero-day vulnerability in its VPN products by cyber criminals. According...

CCTV camera technician spying on users' private moments

A CCTV camera technician from Texas, confessed that he had illegal access to the security cameras of hundreds of families and was monitoring their private ...

Criminals share illegal content via Google Drive

Google Drive is one of the most popular cloud-based storage and synchronization services, which allows users to store various ...

MeetMindful: Data leak of 2,28 million users

As revealed by a security researcher, a famous hacker leaked personal information of more than 2,28 million users who are registered on the dating site ...

How to find your orders in the Amazon app

If you frequently use the Amazon app to buy items, you may find it convenient to see a list of all ...

Automatically move Gmail messages to a different tab

Often the emails we receive can fill our inbox, especially if we use our e-mail for business purposes ....

Google: How to view and delete the data it collects for you

There are some companies that people do not seem to trust much - one of them is Google. The reason...