BlackNET RAT distributed via Fake “Corona Antivirus”

Scammers and malware authors are taking full advantage of the coronavirus and we have seen a number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware including data stealers. We had written a blog on this on 20th March citing the report from RecordedFuture.

As more of us work from home, the need to secure our computer, especially if we are connecting to your company’s network, becomes more important. However, we should be extra careful of bogus security software, especially if it tries to use the coronavirus as a selling point.

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best protection.” That’s right, scammers are trying to get us to install a digital antivirus that supposedly protects against the actual COVID-19 virus infecting people across the world.

and they claim that this Corona Antivirus is powered by " Special AI "

Upon installing this application, your computer will be infected with RAT malware and added in as part of the BlackNET botnet. The file, packed with the commercial packer Themida turns your PC into a bot ready to receive commands:

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed]
hxxps[://]instaboom-hello[.]site//getCommand[.]php?[removed]
hxxps[://]instaboom-hello[.]site//receive[.]php?command=[removed]

The command and control server is hosted at instaboom-hello[.]site

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:

  • Deploying DDOS attacks
  • Taking screenshots
  • Stealing Firefox cookies
  • Stealing saved passwords
  • Implementing a keylogger
  • Executing scripts
  • Stealing Bitcoin wallets

Following are the Indicators of compromise - Add them to your defenses

 

Malicious site

antivirus-covid19[.]site

Bogus corona antivirus

antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4

C2 panel

instaboom-hello[.]site

STAY HOME & STAY SAFE & BROWSE SAFE

Add comment