Threat Signal Report

Coronavirus Ransomware and Kpot Infostealer Campaign

Description

FortiGuard Labs is aware of a new ransomware campaign that is being called "Coronavirus" ransomware. This is referred to as such because various elements of the hard drive, files, and lockscreen have the Coronavirus term referenced to it. Discovered by security researchers @malwrhunterteam , the bad actors behind this attack have setup a fake website that contains reference to a security tool called WiseCleaner. Within the main download, contains a downloader that downloads a total of 7 files. Two files were only observed being downloaded by the researchers, the kpot infostealer and the newly discovered Coronavirus ransomware.


What are the specifics of the ransomware campaign?

According to the report the kpot infostealer attempts to steal various username and password credentials for a variety of services, including cryptocurrency wallets. The Coronavirus ransomware will try to encrypt a variety of extensions which will be renamed in the following convention:

coronaVi2022@protonmail.ch___1.(originalfileextension)'.


It will present a lock screen with instructions along with various rambling statements and instructions on how to send $50 USD worth of bitcoin to the email address listed on file.:



CORONAVIRUS is there

All your file are crypted.

Your computer is temporarily blocked on several levels.

Applying strong military secret encryption algorithm.


To assist in decrypting your files, you must do the following:

1. Pay 0.008 btc to Bitcoin wallet bc1q8r42fm7kwg68dts3w70qah79n5emt5m76rus5u

or purchase the receipt Bitcoin;

2. Contact us by e-mail: and tell us this your

unique ID: 94C492AD07F35492DA90CAAA25986929

and send the link to Bitcoin transaction generated or Bitcoin check number.

After all this, you get in your email the following:

1. Instructions and software to unlock your computer

2. Program - decryptor of your files.

Donations to the US presidential elections are accepted around the clock.

Desine sperare qui hic intras! [Wait to payment timeout 25 - 40 min]


Are there reports of active exploitation in the wild?

No. According to the report, this is being installed via user interaction, where the lure is a fake website promoting a computer optimization tool.


What operating systems are affected?

Windows operating systems only.


Any suggested precautions?

FortiGuard Labs suggests that all users exercise caution when installing programs from any non reputable source. It is suggested that if a new software is being promoted through spam email, social media or via pop up advertisements, it is best to exercise caution by doing due diligence on the company, by performing internet searches on the product and the company itself. Another suggestion would be to perform a WHOIS search on the domain in question, where a domain that is relatively new would be a red flag that this is likely a scam of some sort.


What is the status of AV and IPS coverage?

AV coverage for this issue exists as:

W32/Upatre.AR!tr.dldr

W32/Kryptik.HBVI!tr

W32/Zenpak.HBWA!tr.ransom


IPS coverage is not feasible for this issue.


FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.