Scammers used Johns Hopkins coronavirus map to spread malware

1946 scam. Source:Malwarebytes

A novel coronavirus, COVID-19, has spread to all continents except Antarctica and people are trying to find out live updates online about whether there is an outbreak in their neghbourhood. One of the first maps that started following novel coronavirus was made by the Center for Systems Science and Engineering (CSSE) at Johns Hopkins University (JHU). The map became popular, really fast. And when something is popular, no matter if the latest game or coronavirus map, there are some bad people out there that will try to use that for their own gain.

But, be careful which websites map you trust, because you may catch the latest infection, and the name of this infection is

People at at Malwarebytes say that they have found malicious code hiding behind a wesite that claimed to show an up-to-date global heatmap of Coronavirus reports. And, according to KnowBe4, viruses and malwares similar to are spreading through phishing emails, untrustworthy sites, spam campaigns (“urgent”, “important”,”re”,”official”).

Who is behind corona-virus-map?

Domain was registered on February 1, 2020 at GoDaddy domain registrar, while nameservers are based in Russia. The fake Johns Hopkins site is probably scraping original site to keep the data updated in real time while in the background something else is lurking from the dark, and waiting for the victims.

But according to one of the readers at GrahamCluley this malware is actually a console app installed via an executable. It does two things:

A. Launches a webbrowser control that points to the (legitimate) Johns Hopkins Corona Virus Dashboard

B. Then, using the Dashboard as a decoy, it installs malware and reports back to a C&C server.

Furthermore, according to PCrisk, is not an address of a website, it is the name of a malicious program. It is classified as a trojan, or more specifically a “backdoor” trojan. This type of malware is designed to cause chain infections, in other words – to stealthily download/install additional malicious programs. is presented as a piece of software allowing users to view the progress/spread of the Corona virus epidemic in real time. Instead, this trojan proliferates the AZORult malware(information stealing malicious program).

AZORult malware can steal log-ins and passwords and trojans are designed to stealthily infiltrate the victim’s computer and remain silent.

The Secret Service issued guidance urging the public to use vigilance during coronavirus outbreak, saying that :”…Criminals are exploiting the charitable spirit of individuals,seeking donations to fraudulent causes surrounding the Coronavirus. Increased caution should be exercised when donating to charitable organizations.”

Stay safe.