A malicious website claiming to be the live map for coronavirus/COVID-19 produced by Johns Hopkins University is circulating around the Internet. The website infects the user with the AZORult Trojan, an information-stealing program which can exfiltrate a variety of sensitive data. It is likely being spread via infected email attachments, malicious online advertisements, and social engineering. Anyone searching for a map of the coronavirus could unwittingly navigate to this malicious website. The correct address is https://coronavirus.jhu.edu/map.html.
A sample of the malware being deployed by “corona-virus-map[dot]com” was submitted and analyzed by and received an extremely malicious threat score of 100/100 with Anti-virus (AV) detection at 76%. This sample was labelled by Hybrid-Analysis as a Trojan.
End users should be warned about this cybersecurity risk and security teams should blacklist any indicators associated with this specific threat. IOCs and Analysis may be found here: https://blog.reasonsecurity.com/2020/03/09/covid-19-info-stealer-the-map-of-threats-threat- analysis-report/
Requests for Information
Need information on a specific cybersecurity topic? Send your request for information (RFI) to HC3@HHS.GOV or call us Monday-Friday, between 9am-5pm (EST), at (202) 691-2110.
If you have questions, please contact the Chatham Helpdesk at 412-365-1112.