Nothing can stop hackers from exploiting internet, not even COVID-19 pandemic. A hacker has made an application which looks legitimate but is actually a malware which steals your information. The malware which is being used in the app is AZORult malware.
What is AZORULT Malware?
First of all what is Malware? Malware is a software which infects the computer, server or network. Some programs can also act as malware, if that program acts against computer user’s interest.
AZORULT Malware was first discovered in 2016. This malware is designed to steal your browser’s history, cookies, saved passwords and login and even cryptocurrency information and more. It can also download other malwares.
To know more about AZORULT Malware click here.
Details on the COVID-19 App that has AZORULT Malware
The name of the application is Corona-virus-Map.com.exe. The UI of this application is similar to Johns Hopkins website which is a legitimate website for tracking COVID-19 virus, it has no trapdoor or malware whatsoever. This app’s data is also accurate and correct as it takes the data from Johns Hopkins website.
The UI of the app looks promising so many users might download this app based on the UI and correct information provided but in background a malware is running.
This application was first discovered by MalwareHunterTeam and notified everyone on twitter. ReasonLabs is now inspecting this app.
This app creates multiple Corona.exe, Corona-virus-Map.com.exe, Bin.exe and Windows.Globalization.Fontgroups.module.exe processes. You can see this on the tree structure given below.
A process called bin.exe is responsible for stealing various information form the browser. The information stolen can be your login credentials of a website, Cryptocurrency information, Steam account and it also collects information about the system such as OS, hostname etc.
Another process called timeout.exe is used to create a delayed execution which can trick the antivirus software. This process makes sure that antivirus doesn’t know that the system is infected by this app.
Another process called Build.exe which creates subprocess called Windows.Globalization.Fontgroups.exe. This subprocess is responsible for finding new browsers and resources in the system to steal information. The subprocess creates a process called Windows.Globalization.Fontgroups.module.exe which stores the information sent by bin.exe in a zip file. So it will create a zip file with all the information that bin.exe has sent.
Of course, there are many more processes but this three processes are main processes.
To know more about this app click here.
Conclusion
There are many websites or apps like this that looks legitimate but it isn’t, so we have to be very careful. Generally the hackers will use lure to attract users and then they will steal your data, so be very careful in what website you are on and which app you are using. Be extra careful of phishing email, they look very much legitimate but they aren’t.
The information was gained from Reason Blogs.
In case you missed: (click on the title below)
First of all let’s understand what is cryptocurrency and mining. What is Cryptocurrency? Cryptocurrency is a digital currency which is decentralized meaning there is no . . .
DuckDuckGo, the well known privacy based search engine has been reported to be blocked in India by multiple ISPs without any reason. It is a . . .