Over the past month, the number of malicious campaigns that in any way exploit the theme of COVID-19 is increasing with the speed of a forest fire. So, malicious domains dedicated to the coronavirus are already tens of thousands, and even hacked routers scare their owners with urgent information about the pandemic.
Now, experts have noticed a malware that purposefully destroys data from affected users and overwrites MBR (Master Boot Record), which prevents the system from starting normally.
Journalists of the ZDNet publication write that in total they managed to identify four strains of such wipers (wiper, from English to wipe – “erase”), which combines the exploitation of the theme of coronavirus, as well as the focus on the destruction of information, and not on financial gain. Of the four malvari specimens discovered by IB researchers last month, the two most advanced were those rewriting MBR.
At the first stage, the malware simply shows an annoying window that users cannot close, since the malware has already disabled the Windows task manager. But while users try to figure out the window, the malware damages the MBR, and then reboots the PC. As a result, the user is blocked, and the system does not boot beyond the preload screen.
Fortunately, in this case it is possible to restore access to the machine and data, although for this you will need special software to restore MBR.
The second strain of “coronavirus” malvari also rewrites MBR, but it looks more complicated. At first glance, this is just another ransomware called CoronaVirus, but this is just a cover. The main function of this malware is to steal passwords from an infected host, and then imitate extortion activity, designed to hide the real state of affairs from the victim.
The fact is that as soon as CoronaVirus has stolen the victim’s data, it overwrites the MBR and thereby blocks the user's system, effectively depriving the victim of access to the PC. Since at this stage the user sees a ransom demand message and information that his data is encrypted, it is unlikely he would immediately think that he needs to check if someone has stolen passwords from applications.
According to the analysis of SentinelOne, an IB expert Vitali Cremeza and publications Bleeping computer, this malware also contains code for erasing files from the victim’s machine, but at the time the malware was examined, this code was not active.
A second version of the same threat was spotted by G DATA expert Carsten Khan two weeks later. Malvar retained the ability to rewrite MBR, but replaced the inactive function of erasing data with a working screen lock.
At first this seems like a simple screenlocker, but it infects the MBR as well.
Same MBR as the Coronavirus ransomware found by @malwrhunterteam
– Karsten Hahn (@struppigel) March 26, 2020
But if the above threats only damaged the MBR and did not destroy the data on the infected machine, then the other two malware found by MalwareHunterTeam do just that.
First The viper was spotted back in February of this year. Judging by the name of the file in Chinese, it was intended for Chinese users, although researchers and ZDNet do not have accurate data on whether this malware spread in reality or was only a test version. Second a viper was discovered this week: someone from Italy uploaded a malware sample to VirusTotal.
MalwareHunterTeam describes both threats as very weak wipers, bearing in mind the methods they use to delete files – inefficient, error-prone and time-consuming. However, both wreckers work and really destroy the data of their victims, although the expert is not sure whether they are someone else's joke or were created as a very serious malware.
"alcuni accorgimenti da prendere per il Covid-19.zip" -> "Covid-19.exe" (60e9dfe954acf0b02a5b35f367cf36ae2bc9b12e02aa3085495c5d8c4c94611c) -> dropped "Covid-19.bat, which
Seen from Italy.
Not sure it worse if it was created as joke or seriously.@JAMESWT_MHT pic.twitter.com/YkbFTq8LP7
– MalwareHunterTeam (@malwrhunterteam) April 1, 2020