Malicious “Corona Anti-Virus” Software Discovered
Researchers at Malwarebytes have unearthed a website advertising fake anti-virus software it claims can protect people from contracting the real human virus COVID-19.
In what comes across as a bizarrely comic case of miscommunication, the site (antivirus-covid19[.]site) offers users the chance to “Download our AI Corona Antivirus for the best possible protection against the Corona COVID-19 virus.”
The site’s operators carefully chose an academic big hitter to endorse it. According to the website, the Corona Anti-virus was developed by “scientists from Harvard University” who “have been working on a special AI development to combat the virus using a Windows app.”
To further authenticate their product’s claims, the site’s creators have included a meaningless graphic of three people standing around a circular raised platform while staring at some connecting balls suspended in mid-air. One of the figures points at a ball as though symbolically indicating the presence of a cure.
The Corona Anti-virus claimed: “your PC actively protects you against the Coronaviruses (Cov) while the app is running.”
It’s hard to imagine this ill-conceived ruse netting any victims whatsoever, but those who are persuaded to install the fake Corona Anti-virus will inadvertently infect their computer with malware.
Researchers found that criminals are using the malicious fake anti-virus software to distribute a BlackNet remote administration tool. Users who try to download Corona Anti-virus [antivirus-covid19[.]site/update.exe] will turn their PC into a bot that is ready to receive commands from a threat actor.
“The full source code for this toolkit was published on GitHub a month ago,” said researchers. “Some of its features include deploying DDoS attacks, taking screenshots, stealing Firefox cookies, stealing saved passwords, implementing a key logger, executing scripts and stealing Bitcoin wallets.”
Researchers reported the site to American web-infrastructure and website-security company CloudFlare.
“We informed CloudFlare, since the threat actors were abusing their service, and they took immediate action to flag this website as a phish,” said researchers.