Attackers use a new CoronaVirus Ransomware to cover Kpot Infostealer infections

Coronavirus-themed attacks continue to increase, experts observed new Coronavirus ransomware that acts as a cover for Kpot Infostealer.

Last week, security experts from MalwareHunterTeam detected new ransomware dubbed CoronaVirus has been distributed through a malicious web site that was advertising a legitimate system optimization software and utilities from WiseCleaner.

In this campaign, crooks are exploiting the interest in the Coronavirus (COVID-19) outbreak to deliver a couple of malware, the CoronaVirus Ransomware and the Kpot information-stealing Trojan.

According to MalwareHunterTeam researchers, the ransomware may actually be a wiper.

Attackers use a new CoronaVirus Ransomware to cover Kpot Infostealer infections

The website was distributing a file named WSHSetup.exe, it is the downloader for both the CoronaVirus Ransomware and the Kpot password-stealer.

Upon execution, the executable will attempt to download several files from a remote web site, at the time of the analysis, only a few of them were available. One of these files is, ‘file1.exe,’ which is the Kpot password-stealing Trojan.

KPOT Stealer is a “stealer” malware that focuses on exfiltrating account information and other data from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software.

The malware is also able to take a screenshot of the active desktop and also target wallets stored on the computer.

The second file downloaded by the initial dropper is ‘file2.exe’, is the CoronaVirus Ransomware, it is able to target a broad range of files.

The filename of the encrypted files will be changed to the attacker’s email address (i.e. test.jpg will be enamed to ‘[email protected]___1.jpg’).

The ransomware drops in any folder that contain encrypted files, and on the desktop, a ransom note named CoronaVirus.txt.

Operators demand 0.008 (~$50) bitcoins to decrypt the data, the operators used the bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3jbitcoin wallet that has yet to receive any payment.

The ransomware also renames the C: drive to CoronaVirus, and on reboot, it displays a lock screen with the ransom note.

“Based on the low ransom amount, static bitcoin address, and political message, it is strongly suspected that this ransomware is being used more as a cover for the Kpot infection rather than to generate actual ransom payments.” reads the analysis published by BleepingComputer.

“BleepingComputer’s theory is that the ransomware component is being used to distract the user from realizing that the Kpot information-stealing Trojan was also installed to steal passwords, cookies, and cryptocurrency wallets.”

Additional technical details are reported in the analysis published by BleepingComputer.

Pierluigi Paganini

March 19, 2020

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...