Cyber Security Center

Coronavirus ransomware spreads with data stealer trojan Kpot


A new Coronavirus (COVID-19) themed ransomware is spreading together with a ‘stealer’ trojan Kpot.

 

Screenshot (132)

Researchers at MalwareHunterTeam have uncovered a new ransomware named CoronaVirus that is being distributed together with a password-stealing trojan Kpot. According to BleepingComputer, the ransomware is distributed via a website that is meant to impersonate a legitimate site promoting a real Windows system optimizer WiseCleaner.

The malicious site (wisecleaner[.]best) is distributing a file called WSHSetup.exe, which if executed will attempt to download the CoronaVirus ransomware and the ‘stealer’ trojan Kpot. If WSHSetup.exe is executed, the program will attempt to download 7 files in total but will actually download only 2, file1.exe and file2.exe.

Downloads both a ‘stealer’ trojan and CoronaVirus ransomware

The file file1.exe is the Kpot password stealer. If the file is executed and the trojan becomes active, it will attempt to steal browser information like cookies and login credentials. It will also target information from messaging programs, email and gaming accounts (such as Steam), as well as cryptocurrency wallets. The malware will also take a screenshot of the desktop.

The other downloaded file file2.exe is the CoronaVirus ransomware. It will target certain files on your computer and encrypt them. According to malware researchers, files with the following extensions are targeted: .bak, .bat, .doc, .jpg, .jpe, .txt, .tex, .dbf, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .cpp, .pas, .asm, .rtf, .lic, .avi, .mov, .vbs, .erf, .epf, .mxl, .cfu, .mht, .bak, .old.

Encrypted files will be renamed to contain the attacker’s email address. “Picture.jpg” would be renamed coronaVi2022@protonmail.ch___picture.jpg. The ransomware will drop a ransom note CoronaVirus.txt in all folders containing encrypted files. The note is pretty basic, declares that files on the computer have been encrypted, and in order to recover them it’s necessary to pay the ransom. The requested sum is unusually low, victims are requested to pay 0.008 Bitcoin which equals to $40 at the time of writing. The bitcoin address has not received a single payment as of yet.

Interestingly enough, the computer will reboot and display a loaded screen with the ransom note for around 40 minutes, after which it will reboot again to display a slightly different message for about 15 minutes. Finally, it will boot again, load Windows and will display the note again once logged in.

The CoronaVirus ransomware may just be a distraction

Due to the ransomware’s strange behaviour and unusually low ransom sum, there have been speculations that the ransomware is just a cover. The actual aim of this infection may be for the trojan to steal sensitive information. The trojan will actively steal data in the background unnoticed while victims deal with the ransomware.