Coronavirus-Themed Destructive Wiper Malware

Malicious actors are leaving no technique unturned as they continue to predictably use every conceivable method to wage their coronavirus-themed attack campaigns. While the ploys are the same, the deluge of themed attacks is unprecedented. Therefore, it should come as no surprise that malware authors would eventually develop successful disk wiping malware designed around a coronavirus theme.

Thus far, there have reportedly been two COVID-themed malware samples observed successfully overwriting the MBR (master boot record) rendering devices unusable. On March 12, BleepingComputer reported on a Kpot Infostealer that was masquerading as CoronaVirus Ransomware which ultimately overwrote the MBR after stealing user credentials. The tactic was similar to the NotPetya campaign in 2017 where users were presented with a ransom note, but with no instructions or ability to view the note again after the computer rebooted and the MBR was overwritten; the ransomware was just a façade. This week, researchers from cybersecurity firm SonicWall reported on a trojan sample called “coronavirus” that simply overwrites the MBR. There is no façade; once a device is infected with the “coronavirus” trojan, the malware displays a window with the coronavirus image that states “coronavirus has infected your PC!” while the malware continues working in the background to overwrite the MBR. Once the MBR has been overwritten, upon reboot the computer returns a grey screen that displays “Your Computer Has Been Trashed.”

Disk wiping, or overwriting the MBR is a technique commonly seen with advanced threat actors, as it takes a higher-degree of technical knowledge to futz with the master boot record. Likewise, as state-sponsored actors have been observed jumping on the coronavirus-themed malware lure bandwagon, this technique is something more in their wheelhouse than the work of common cybercriminals. More information on disk wiping, including threat groups observed using it, can be found in the MITRE ATT&CK Disk Structure Wipe technique.

At present there is reportedly no fix, patch, or inoculation for the “coronavirus” trojan. The best defense is a good data backup along with effective restoration procedures. Read more at ZDNet