A new ransomware called CoronaVirus has been distributed through a fake website pretending to promote WiseCleaner system optimization software.
With growing fears and concern over the coronavirus (Corovavirus-COVID-19) epidemic, an attacker has launched a campaign to distribute a cocktail of malware consisting of CoronaVirus Ransomware and Kpot Trojan.
This new ransomware was discovered by MalwareHunterTeam and after further examination at the source of the file, it was determined how the malware plans to distribute the ransomware and possible indications that it may in fact be a wiper.
CoronaVirus Ransomware spread through the fake WiseCleaner website
To distribute the malware, the intruders created a website that mimics the legitimate website of WiseCleaner.com.
Downloads on this website are not active, but they have distributed a file called WSHSetup.exe that works as a downloader for both CoronaVirus Ransomware and Trojan called Kpot.
When the program runs, it will try to download various files from a remote website. Currently, only file1.exe and file2.exe are available for download, but you can see that it is trying to download a total of seven files.
The first file downloaded by the installer is 'file1.exe' and is the Trojan that steals the Kpot password.
When executed, it will attempt to steal them cookies and login credentials from web browsers, messaging, VPN, FTP, email accounts, game accounts such as Steam and Battle.net and other services. The malware will also take a screenshot of the active desktop and try to steal wallets cryptocurrency stored on the infected computer.
This information is then uploaded to a remote site managed by the intruders.
The second file, file2.exe, is CoronaVirus Ransomware, which will be used to encrypt the files in computer.
Files that are encrypted will be renamed to continue using the same extension, but the filename will be changed to the attacker's email. For example, test.jpg will be encrypted and renamed to 'coronaVi2022@protonmail.ch___1.jpg'.
In some cases, as below, email may default to the file name multiple times.
In every folder that is encrypted and on the desktop, a ransom note called CoronaVirus.txt will be created that requires 0.008 (~ $ 50) bitcoins at a hardcoded bitcoin address of bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j, which has not received any payments yet.
The ransomware will also rename C: Drive to CoronaVirus.
On reboot, ransomware will display a lock screen that displays the same ransom note text before Windows loads.
SentinelLabs chief Vitali Kremez told BleepingComputer that this is being shown through a modification of the "BootExecute" Manager value HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session that starts an executable from the% Temp% folder before loading Windows at startup.
After 45 minutes, the lock screen will display a slightly different message. However, you still cannot enter any code to return to system.
After 15 minutes, it restarts Windows and it will display the ransom note CoronaVirus.txt.
This is a strange ransomware and is still being analyzed for weaknesses.
Given the low amount of ransom, static bitcoin address and message, there is a strong suspicion that this ransomware is used more as a cover for Kpot infection rather than to accumulate money.
BleepingComputer's theory is that ransomware is used to distract the user from realizing that the Kpot Trojan is installed to steal passwords, cookies and cryptocurrency wallets.
Anyone infected with this attack should immediately use another computer to immediately change all passwords.