As more and more people are getting infected with the Covid-19 virus around the world, cybercriminals are taking advantage of the chaos to infect users with the Corona-virus-map.com.exe. This malware exploits the current Covid-19 outbreak by trying to pose as an information source and case tracker of the epidemic around the world.
What is the Corona-virus-map.com.exe?
Corona-virus-map.com.exe, also known as the Corona Map virus, is a new Trojan that is circulating around the internet today. It runs in the background of the Windows system, and can only be discovered when you check the running processes under Task Manager. When you see this file running on your computer, it means that your system has been invaded by the AZORult virus, a banking Trojan that was first spotted in 2016.
The cybercriminals behind this Corona-virus-map.com.exe virus are taking advantage of the worldwide panic caused by the Covid-19 pandemic, which has now infected almost 700,000 people around the world, killing more than 30000. Because of this global emergency, people are looking for more information about the crisis, particularly the places that are hardly hit by the virus.
This is where Corona-virus-map.com comes into play. This website supposedly offers a map that tracks the cases of all the Coronavirus infections all over the world. When the users go to this website, the malware gets downloaded to their website and collects the sensitive information from the infected computer.
What Does Corona-virus-map.com.exe Do?
When you go to the www.corona-virus-map.com website, you’ll find it hard to notice that the website is malicious. Is Corona-virus-map.com.exe a malicious file? Is Corona-virus-map.com.exe a virus? This is because the website looks like a genuine interactive map of all the known cases of coronavirus infections around the world. It even mimics the genuine Covid-19 threat map designed by Johns Hopkins University. Aside from the map of the globe which highlights the countries where the virus has spread, you’ll also see the statistics on the latest number of deaths, infected, and recovered cases. The website actually looks legitimate and very convincing.
Aside from the website where the Corona-virus-map.com.exe is hosted, security experts have also discovered several email chains that include a link towards the malicious website. When the link is clicked by the user, the malicious Trojan is unknowingly triggered and downloads itself to the user’s computer.
Corona-virus-map.com.exe is an info-stealing Trojan that belongs to the AZORult banking Trojan family. This means that the malware is designed to steal the user’s browsing history, cookies, username and passwords, credit card information stored in users’ browser history, cryptocurrency, and other sensitive data. Corona-virus-map.com.exe can also download additional malicious apps onto the infected machines.
Based on the study done by the security expert who discovered the virus, researcher Shai Alfasi of Reason Labs, the malware was designed to look for various cryptocurrency wallets, including Electrum and Ethereum. The malware works by extracting data and creating a unique ID of the affected user’s workstation. It then applies XOR encryption by using the new user ID. That generated ID was created to start C2 communication to the C2 server. The C2 server eventually sends the configuration data containing target web browser names, API names, web browser path information, legitimate DLLs, and sqlite3 queries. The gathered data is sent to the malware’s author in the form of a PasswordList.txt file.
The Corona-virus-map.com.exe malware was also discovered being sold in the hacker’s underground market, with prices ranging from $200 t0 $700. The product description of the malware says:
It loads [a] fully working online map of Corona Virus infected areas and other data. Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!
For the Corona-virus-map.com.exe malware to work, the infected computer needs to have Java installed because the Corona map is Java-based. Even if you have the latest Java version installed, you won’t be able to avoid getting infected with the virus.
How to Remove the Corona-virus-map.com.exe From Your PC
The best way to detect the Corona-virus-map.com.exe malware on your computer is by using a robust anti-malware software. You can use it to detect whether your device has been infected by the Corona-virus-map.com.exe and other types of malware.
According to Virus Total, at least 60 security apps can recognize the Corona-virus-map.com.exe so it is not that difficult to detect. However, it comes in various names, including:
- Trojan:Win32/Covitse!MSR
- GenericKD.33504379
- Trojan[PSW]/Win32.AZORult
- Agent.Wacatac
- Troj/MSIL-NZP
- AzorUlt.CoronaMap
- Malware@#1z88bc8nipk8n
- Win32:Trojan-gen
Keep in mind that deleting the Corona-virus-map.com.exe manually may not be enough to totally remove it from your computer. As described above, the malware modifies the Windows registry, creates new scheduled tasks, and makes various changes all over your Windows system, making it hard for users to remove all of its component. If you suspect that your computer has been infected by the Corona-virus-map.com.exe, you need to delete it using our malware removal guide (insert malware rremoval guide here) below. Don’t forget to use a PC cleaner app to delete all infected files and prevent re-infection.