A bogus antivirus app dubbed Corona is preying on COVID-19 fears, promising to protect its users from the pandemic virus. What the app actually does is spread a malware threat, known as BlackNET RAT.
Both the antivirus-covid19[.]site and corona-antivirus[.]com web pages boast ridiculous claims, offering “best possible protection against the Corona COVID-19 virus,” declaring that their software can protect its users in real life.
Malware Disguised as Anti-Malware
The websites went as far as to claim that “scientists from Harvard University have been working on a special AI development to combat the virus using a mobile phone app.”
After the first website was taken down, the second removed the malicious links and changed its written content to add a disclaimer that “this is only a fun project.”
Researchers warn that the websites take advantage of the COVID-19 outbreak to push an infected installer that drops BlackNET RAT; a malware threat designed to steal sensitive information and add the infected devices to the BlackNET botnet.
Figure 1: Increase of Coronavirus-related Domains
The graph shows the increase in COVID19-related domains in the past two months. Source: Check Point
What is BlackNET RAT
BlackNET RAT is a Remote Access Trojan that adds devices to the BlackNET botnet. The malware comes with a built-in keylogger and is designed to harvest sensitive data, including passwords and other credentials, cookies, and Bitcoin wallets.
The RAT comes with bot management features that can uninstall or update a bot client, restart and shut down the infected devices, and even open hidden web pages.
Additionally, this malware can launch DDoS attacks, take screenshots of the victim’s screen, upload files onto the infected device, and execute scripts.
The malware is also equipped with anti-forensic and anti-VM features that prevent researchers from analyzing it properly.
A Cyber Pandemic of Coronavirus-themed Threats
Cybersecurity experts warn that Corona Antivirus is not the only fake app that takes advantage of the global COVID-19 outbreak. A cyber pandemic of Coronavirus-themed scams, trojans, and RATs threaten both desktop and mobile users alike.
The number of newly registered domains related to COVID-19 has skyrocketed since the Coronavirus outbreak was officially classified as a pandemic. According to CheckPoint, since the end of February, approximately 0.8% (93 websites) of all analyzed domains were actively malicious; and 19% (2,200+ sites) were suspicious.
The US Department of Homeland Security warns that cybercriminals will continue to exploit the pandemic. All users are strongly advised to enforce strict cyber-hygiene standards.