RealTime Cyber Threat Advisory RE: COVID-19 Live Map Downloads Delivering Malware


There has been an increase in cyber criminals weaponizing fears concerning the Coronavirus
to deliver malware. Delivery of this malware is done largely through spam email campaigns
where users receive emails with deceptive text and attached files (usually Microsoft Office
files). When a user clicks on the attachment, they are prompted to enable macro commands
in order for the file to load properly. If macros are enabled the attachment executes
commands in the background to download and install malware, which the user may be
completely unaware of. To raise awareness of these potential exploit attempts SKOUT’s
Security Operations Center has analyzed a publicly available malware sample of a
weaponized “live Coronavirus Map” download, which was used to deliver the malware variant
known as “AZORult”.

The malware sample analyzed provides a convincing user interface to masquerade as the
legitimate Coronavirus live map created by John Hopkins CSSE[1]. The map updates in real
time which does give off appearance of legitimacy, however it is seen connecting to domains
other than the original URL “www[.]arcgis[.]com”. These domains include
“coronvirusstatus[.]space” and other domains following the nomenclature of
“*[.]arcgis[.]com”. Thousands of coronavirus domains have been registered in recent weeks,
with security researchers at Check Point releasing a report stating that over 4,000
coronavirus-related domains registered globally since January 20, 2021
. Users seeking the map should ensure they are downloading the legitimate live map1
by checking the domain in the URL to ensure it is legitimate and not potentially harboring AZORult.
AZORult is a banking malware trojan that can steal personally identifiable information (PII)
including usernames/password, cookies, credit card details, cryptocurrency and other
sensitive information that is stored in the user’s browser. Additionally, the malware creates a
new, hidden administrator account on affected devices which attackers can use to connect to
the device over Remote Desktop Protocol (RDP).

When downloaded, there are two files that are self-extracted with hard-coded passwords to enable auto execution without the user’s
knowledge. Once executed, a unique ID is created to identify the device, saved passwords
are decrypted and C2 communication is started. This communication will provide target web
browser names, API names, DLLs, and sqlite3 queries to store and export information.

• Verify the authenticity of websites before downloading any software.
• Organization should implement two factor authentication for all account and a strong
password policy.
• Provide security awareness training to users to spot phishing emails.
• Utilize a strong next-gen endpoint protection that blocks malware such as RealTime
Endpoint Protection.
• Utilize email protection service that can spot malicious emails and attachment before
users interact with it such as RealTime Email Protection.
• Ensure users have the least amount of privileges on their accounts.
• Turn off macros in Microsoft Office. Documents that require macros should never be
received through email.
• Use a trusted web proxy, this will typically block connections attempting to be made to
malware command and control (CnC) servers.
• Make sure your system is kept up to date with the latest patches and updates.

For more in-depth information about the recommendations, please visit the following

If you have any questions, please contact RealTime for futher help.

Sharing is caring!