Attackers use a new CoronaVirus Ransomware to cover Kpot Infostealer infections

Coronavirus-themed attacks continue to increase, experts observed new Coronavirus ransomware that acts as a cover for Kpot Infostealer.

Last week, security experts from MalwareHunterTeam detected new ransomware dubbed CoronaVirus has been distributed through a malicious web site that was advertising a legitimate system optimization software and utilities from WiseCleaner.

In this campaign, crooks are exploiting the interest in the Coronavirus (COVID-19) outbreak to deliver a couple of malware, the CoronaVirus Ransomware and the Kpot information-stealing Trojan.

According to MalwareHunterTeam researchers, the ransomware may actually be a wiper.

The website was distributing a file named WSHSetup.exe, it is the downloader for both the CoronaVirus Ransomware and the Kpot password-stealer.

Upon execution, the executable will attempt to download several files from a remote web site, at the time of the analysis, only a few of them were available. One of these files is, ‘file1.exe,’ which is the Kpot password-stealing Trojan.

KPOT Stealer is a “stealer” malware that focuses on exfiltrating account information and other data from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software.

The malware is also able to take a screenshot of the active desktop and also target wallets stored on the computer.

The second file downloaded by the initial dropper is ‘file2.exe’, is the CoronaVirus Ransomware, it is able to target a broad range of files.

The filename of the encrypted files will be changed to the attacker’s email address (i.e. test.jpg will be enamed to ‘coronaVi2022@protonmail.ch___1.jpg’).

The ransomware drops in any folder that contain encrypted files, and on the desktop, a ransom note named CoronaVirus.txt.

Operators demand 0.008 (~$50) bitcoins to decrypt the data, the operators used the bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3jbitcoin wallet that has yet to receive any payment.

The ransomware also renames the C: drive to CoronaVirus, and on reboot, it displays a lock screen with the ransom note.

“Based on the low ransom amount, static bitcoin address, and political message, it is strongly suspected that this ransomware is being used more as a cover for the Kpot infection rather than to generate actual ransom payments.” reads the analysis published by BleepingComputer.

“BleepingComputer’s theory is that the ransomware component is being used to distract the user from realizing that the Kpot information-stealing Trojan was also installed to steal passwords, cookies, and cryptocurrency wallets.”

Additional technical details are reported in the analysis published by BleepingComputer.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase