Tuesday, August 11, 20:14
Home security The new CoronaVirus Ransomware acts as a cover for the Kpot Trojan

The new CoronaVirus Ransomware acts as a cover for the Kpot Trojan

A new ransomware called CoronaVirus has been distributed through a fake website pretending to promote WiseCleaner system optimization software.

With growing fears and concern over the coronavirus (Corovavirus-COVID-19) epidemic, an attacker has launched a campaign to distribute a cocktail of malware consisting of CoronaVirus Ransomware and Kpot Trojan.

This new ransomware was discovered by MalwareHunterTeam and after further examination at the source of the file, it was determined how the malware plans to distribute the ransomware and possible indications that it may in fact be a wiper.

CoronaVirus Ransomware spread through the fake WiseCleaner website

To distribute the malware, the intruders created a website that mimics the legitimate website of WiseCleaner.com.

CoronaVirus RansomwareDussman Group-leak data-ransomware attack

Downloads on this website are not active, but they have distributed a file called WSHSetup.exe that works as a downloader for both CoronaVirus Ransomware and Trojan called Kpot.

When the program runs, it will try to download various files from a remote website. Currently, only file1.exe and file2.exe are available for download, but you can see that it is trying to download a total of seven files.

The first file downloaded by the installer is 'file1.exe' and is the Trojan that steals the Kpot password.

When executed, it will attempt to steal them cookies and login credentials from web browsers, messaging, VPN, FTP, email accounts, game accounts such as Steam and Battle.net and other services. The malware will also take a screenshot of the active desktop and try to steal wallets cryptocurrency stored on the infected computer.

This information is then uploaded to a remote site managed by the intruders.

The second file, file2.exe, is CoronaVirus Ransomware, which will be used to encrypt the files in computer.

Files that are encrypted will be renamed to continue using the same extension, but the filename will be changed to the attacker's email. For example, test.jpg will be encrypted and renamed to 'coronaVi2022@protonmail.ch___1.jpg'.

In some cases, as below, email may default to the file name multiple times.

In every folder that is encrypted and on the desktop, a ransom note called CoronaVirus.txt will be created that requires 0.008 (~ $ 50) bitcoins at a hardcoded bitcoin address of bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j, which has not received any payments yet.

The ransomware will also rename C: Drive to CoronaVirus.

On reboot, ransomware will display a lock screen that displays the same ransom note text before Windows loads.

SentinelLabs chief Vitali Kremez told BleepingComputer that this is being shown through a modification of the "BootExecute" Manager value HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session that starts an executable from the% Temp% folder before loading Windows at startup.

After 45 minutes, the lock screen will display a slightly different message. However, you still cannot enter any code to return to system.

After 15 minutes, it restarts Windows and it will display the ransom note CoronaVirus.txt.

This is a strange ransomware and is still being analyzed for weaknesses.

Given the low amount of ransom, static bitcoin address and message, there is a strong suspicion that this ransomware is used more as a cover for Kpot infection rather than to accumulate money.

BleepingComputer's theory is that ransomware is used to distract the user from realizing that the Kpot Trojan is installed to steal passwords, cookies and cryptocurrency wallets.

Anyone infected with this attack should immediately use another computer to immediately change all passwords.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.


Do you want a Chromebook? Choose among the 4 best!

A good Chromebook is not much different from regular laptops, while the best of them may be nicer than ...

UniConverter: Convert videos to 1000 formats 30 times faster!

If you are a video content creator, you will definitely need to convert a video to various formats many times, without compromising ...

How to persuade older people to use technology?

Technology can often seem daunting and difficult to older people who are unfamiliar with ...

How to stream 4K Ultra HD content to Netflix?

During the quarantine, Netflix has been a great help to people spending boring hours at home. The service has ...

iPhone: Add and remove Widgets from the Home screen

Apple brought the widgets to the Home screen of the iPhone with iOS 14. This is an advanced form of widgets from ...

The best security cameras to protect your home!

If you are afraid of intruders in your home, these security cameras can stream live video directly to your phone.

Do hackers carry out their attacks in real time?

More generally, there is a perception that hackers are suddenly infiltrating systems and devices and carrying out attacks. However, the reality is different. The...

Facebook: How to hide old posts

Facebook has introduced a new tool called "Activity Management" that will allow you to delete old posts, helping you to improve ...

How to download and install the Play Store on laptops and PCs?

Nowadays, many people rely on their smartphones, as they can be used easily and quickly for ...

Portable air conditioner: It is worn on the back and as a jewel 😛

Portable air conditioner - Worn on the back and like jewelry: 40 degrees and we have melted. Those of you who are lucky on the beach, please stop ...