COVID-19 Malware Targets MBR - ThreatWire Crosspost
Added 2020-04-07 18:55:58 +0000 UTCThis story was chosen by the ThreatWire Patreon patrons!
The Master Boot Record of a computer tells the PC how partitions are set up on a drive and loads the operating system. If it gets corrupted, the machine generally can’t boot til it’s fixed. For general users, you normally don’t wanna mess with this. Now, malware has been created themed around COVID-19 that wipes or rewrites the MBR.
CNET worked with infosec professionals to find several different malware strains that were made to wipe or rewrite the master boot record, but none of them were made for monetary gain. The first two could rewrite the MBR sectors and seemed more advanced. One was found by MalwareHunterTeam and goes by the name COVID-19.exe. It disables the Windows task manager and forces a popup that won’t close, disables the User Access Control, and disables options to change the wallpaper. Meanwhile behind the scenes the malware rewrites the MBR, at which time it restarts the PC and the user sees a boot screen saying the computer has been trashed. This one also adds registry files which can make the malware persistent.
Another one posed as Coronavirus ransomware but the malware was actually stealing passwords while wiping the MBR. This one would rewrite the MBR and add a boot screen saying the machine was encrypted and demanding pay via bitcoin. It could also wipe files from the machine, but that ability didn’t appear to be active, according to researchers. The malware was distributed via a website impersonating a cleaning utility called WiseCleaner, and when downloaded, would use a file called WSHSetup.exe to extract a CoronaVirus Ransomware and a trojan called Kpot. Kpot will steal cookies and login credentials from browsers, messaging programs, FTP, VPNs, email accounts, Steam, Battle.net, etc. If any cryptocurrency is on the machine, it’ll also attempt to steal that as well. The ransomware encrypts and changes the names of files with specific extensions, then demands about $50 in bitcoin. Researchers suspect the bitcoin ransomware is used to distract users from the Kpot info stealer, so they recommend using a different machine to reset any passwords that could have been compromised.
The last two are data wiping malware, with one being discovered as early as February. The second wiper was discovered last week. While both of these appear to be full of errors and not as efficient as the rewriting malware, they did succeed. Since each of these different wipers appears to work, it’s crucial to practice good security hygiene and not download anything odd from a browser.
Support me on alternative platforms! https://snubsie.com/support
Shop ThreatWire Merch! - https://snubsie.com/shop
https://www.youtube.com/shannonmorse -- subscribe to my tech channel!
ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire
Covid-19 malware wipes PC and MBR
https://securitynews.sonicwall.com/xmlpost/coronavirus-trojan-overwriting-the-mbr/
https://twitter.com/malwrhunterteam/status/1242189645552783360
https://twitter.com/malwrhunterteam/status/1245386335298433027
https://twitter.com/malwrhunterteam/status/1227204126016200704
