With coronavirus outbreak affecting more and more countries and the World Health Organization declaring COVID-19 (the disease caused by the novel coronavirus) to be a pandemic, everyone’s keeping a close eye on how it’s spreading across the world. For those craving information several organizations have made dashboards to keep track of COVID-19, but now, hackers found a way to use these online maps to infect computers with malware.

Researchers from Reason Labs recently have detected a malicious campaign that spreads malware disguised as a “Coronavirus map”. Attackers design websites related to coronavirus in order to prompt users to download an application to keep them updated on the situation. On its front-end, the application shows a map loaded from a legit online source, but in the background it installs a malicious file on the victim’s computer.

The malware involved in this campaign is a malicious software known as AZORult, an information stealer able to extract browsing history, cookies, ID/passwords, cryptocurrency, download additional malware and more. Discovered in 2016, AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. There is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections.

The analysis of the malware showed that it comes in the file named as Corona-virus-Map.com.exe. Once file is executed, a window opens up that shows various information about the COVID-19 outbreak (the design of the map is very similar to the one hosted by Johns Hopkins University).

When executing the Corona-virus-Map.com.exe, duplicates of the Corona-virus-Map.com.exe file and multiple Corona.exe, Bin.exe, Build.exe, and Windows.Globalization.Fontgroups.exe files are created. Execution of the malware starts the following processes: Bin.exe, Windows.Globalization.Fontgroups.exe, and Corona-virus-Map.com.exe that attempt to connect to several URLs.

Currently, the malware only affects computers running Windows, but researchers believe that a new version might emerge soon aimed at other operating systems.