March 12, 2020

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu.

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware.

Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate.

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”

The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java.

“Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.”

It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware.

As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know.

A tip of the hat to @holdsecurity for a heads up about this malware offering.


135 thoughts on “Live Coronavirus Map Used to Spread Malware

  1. Louis

    I see a date at mar 20th
    and its March 19th right now

  2. Sam Abd

    In the eyes of the world, we’re all different; in the eyes of the virus, we’re just the same.

  3. naga368

    God is so terrible that the Corona virus, now has spread throughout the world, I hope you and your family are protected

    1. I_man

      you Idiot!!!!!!

      God hasn’t spread the virus, but the people how traveled. If we had stoped at time, today the corona would be dead !!!!!!!
      And the chinese people are also responsable for this becase of what they eat if they woul listen to god no corona woud be among the Humans

        1. Thatguy

          Don’t spread useless baseless propaganda. This came from China plain and simple. They tracked patient zero in Italy to a couple from Wuhan and as they track the source of the patients it all comes from one place, China. China is trying to cover their behinds and look like the good guys. Don’t buy in to their propaganda machine.

    2. BLAQ BANE

      Blame game is LAME GAME, Gods don;t interfere when humans are trying to kill themselves. God isn’t the issue here, your fellow humans are.

  4. Doug

    they changed the dashboard. looks like you cant watch the realtime updates for today and yesterdays total isnt even on there.

  5. Mia

    Thanks for your job. It’s great. I check the data and from today morning you miss French Guiana, Guadeloupe, Kosovo, Martinique, Mayotte and Reunion in the list of total confirmed cases.

  6. Joseph William

    This is a win-win strategy! 🙂 * Sarcasm *. I compare this with wickedness during the war. I hope karma overtakes the criminals in the form of the same coronavirus.

  7. Claire

    Why has the recovery numbers now been removed from the data map and now only showing deaths and in some countries tested. There is enough room and gloom right now to be removing this information

Comments are closed.