Fake Corona antivirus software website delivers BlackNET RAT malware

Malware authors rely on the pandemic Coronavirus outbreak and distribute botnet virus with the help of fake antivirus tool site

Installing a fake antivirus tool infects the machine with malware that can steal data and execute scripts. Scammers and malware creators aim to trick people into installing the fake antivirus that should be the cure for COVID-19 virus.^[1] Number of spam campaigns and phishing sites use the name of the infection to gain attention, visitors and get potential victims of the cyber threat, but this is the case of info-stealer malware.^[2] Multiple sites got reported^[3] and analysed to discover all types of malware that online pages distributed by using these claims:

Our scientists from Harvard University have been working on a special AI development to combat the virus using a mobile phone app.

Your mobile device actively protects you against the Coronaviruses (Cov) while the app is running.

Bogus sites claim to protect people from contracting human Coronavirus by downloading and installing the anti-virus software. The page initially offers to download the protection tool and site operators chose to use the state that Harvard University is involved in the development of the application and “combating the virus using Windows application” to further encourage people.

Criminals taking advantage of global panic due to pandemic

Creators aimed to authenticate the promoted software, so claims about the protection included graphs and statistics encouraging users to download the AV tool that, in reality, is a remote access trojan.^[4] The website was reported and quickly taken offline, marked as a phishing site. However, it is possible that some people fell for the scam campaign and installed the malicious program that loaded BlackNET RAT via antivirus-covid19.site/update.exe payload file.

We cannot stress enough, but this is a fake antivirus tool and applications downloaded from such sites cannot protect from an actual COVID-19 virus that infects people all over the world. Malicious actors have already targeted across the globe people with their products by using the name of the virus. Corona ransomware is attacking peoples' systems for a month or so, Crimson RAT payload got delivered in a similar phishing scam campaign, and supposedly, hacker group ATP36 is responsible for this.

Various functions of malware delivered via 100% fake AV tool sites

Downloading the promoted application leads to malware infection and the file included in the Themida packer turns your device into a bot that receives commands from Command and Control server. The server hosted at instaboom-hello.site that in reality is a control panel for botnet malware.^[5]

According to the analysis of BlackNET malware code, shows that this threat can be set to perform an area of commands and all those features include:

• taking screenshots;
• stealing saved logins and passwords;
• stealing Mozilla Firefox cookies;
• executing scripts;
• stealing Bitcoin wallet credentials;
• deploying DDOS attacks;
• running a keylogger.

Remember that during this period, it is important to stay safe by staying inside and stay safe online by protecting your privacy and machine from hackers and common malware. The number of scams comes higher than ever, so criminals take advantage of the situation as much as they can. Choose reliable anti-malware tools, don't fall for deals or new promotional campaigns.