12
Mar 20

Live Coronavirus Map Used to Spread Malware

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu.

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware.

Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate.

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”

The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java.

“Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.”

It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware.

As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know.

A tip of the hat to @holdsecurity for a heads up about this malware offering.

Tags: , , , ,

135 comments

  1. I think this is the legitimate site: https://coronavirus.jhu.edu/map.html

    But I see “not fully configured” in most of the modules. Anyone know why?

    • Johns Hopkins University
      @JohnsHopkins
      ·
      14m
      We are aware of an issue with the COVID-19 dashboard not loading properly, and
      @JHUSystems
      is actively working to resolve the issue. We will tweet again once they have confirmed the site is back up and running.

      • BJ,

        thank you for the update and thank you for John Hopkins for providing the COVID-19 map!

        Can the map show the counties again or is the getting beyond the volume capacity of the maps? Knowing which parts of the state are effected is extremely useful information vs just having the number of cases in the state.

        Thank you again for the update,
        Julia

        • Hi Julia, I found this story map with ESRI (ArcMaps). It is really good if you want to look at the data by county.

          https://coronavirus-disasterresponse.hub.arcgis.com/app/557dcd77ad504d5faec7e2c5506c86e0

          I am looking for Data on Demographics (Age specifically) for US only. I realize other countries may not be held to the same standards, but I find it interesting that it isn’t hitting school age kids so much or is hitting them with less emphasis (so recovery is easier?) I just don’t know enough, hence the reason for my search. I wonder if the anyone has looked at that population in terms of Immunizations and/or a combination of several mandatory immunizations. Seems like an easy thing to track if hospitals are collecting and disseminating. Could it be possible to look at any combination of “ingredients” of childhood required shots to get in to school? I’m not a doctor or an intern, I’m just data analyst (junkie)

      • Thank you. I too have been following the updated maps and wondered why map was not current.

      • Any news about fixing the map? It is coming up 5 hours since your original post and the map has still not updated since this morning.

        Like Julia, I would like to see the counties/cities info breakdown again – I noticed this data disappeared (in several steps) earlier this week. (Please tell me it was not a political request!!)

        Also, it might avoid some confusion if you switched the time displayed on the map to UCT (formerly known as GMT).

        Thanks for creating the map!

      • BJ – it has been over 5 hours since your original post – any news about fixing the map? It still shows that it was updated this morning at 9:33 (EDT), but not since.

        It might be clearer if you used UCT for the time (formerly known as GMT).

        And as Julia says, any chance you can show the county/city names again, rather than just state and country? I saw this disappear in stages earlier this week (Please tell me it was not a political request!)

        Thanks for the map!

      • I find it highly suspicious that the map from JHU has become “infected”. Perhaps it’s the Wuhan virus that is affecting it? :-), or maybe the Government is trying to reduce panic by not allowing users to see the map anymore.

      • BJ, the map is working now (about 8pm EDT) and shows it was updated at 7:44 pm EDT. Almost. The Italian and (I think) the Chinese numbers have not changed since yesterday.

        • Nope it is not working its 9:20pm edt and all it says that this or that panel is not configured.

      • I think Trump and CIA stopped the page to prevent further outbresk

    • It started doing this to me in Firefox today but the site loads fine in Chrome, it had been working fine in Firefox before so not sure what happened.

    • LIVE Coronavirus Pandemic | Real Time Counter, World Map, News

      https://www.youtube.com/watch?v=qfoZi7rB9ZQ ………

  2. It is Johns Hopkins University. Note the “Johns”.

  3. Brian, reminds me how bad actors piggybacked on things like the aftermath of the tsunami in Indonesia, Michael Jackson’s death, fake IKEA bill notices and others. This is quite an evolution in that effort. I tell my students as long as there is a significant risk of threat actors using current events to gain user trust (and a myriad of other ways to compromise users), there will be work in the system/network security realm. Thanks for the great article.

  4. I believe the source for the Hopkins site is
    https://gisanddata.maps.arcgis.com

    Although at this time it reverts to a Hopkins login page.

  5. Proper spelling of Johns Hopkins University.

  6. Map is not working – Please let me know when it’s up.

  7. Thankfully I haven’t had Java installed for years – I feel sorry for folks that need it for application functionality.

  8. Good post i will to translate to spanish in my blog.

  9. Java!? Who’s using Java these days? Uninstall it as soon as possible. That by itself is a disease vector. In my case this original map doesn’t need any Java If you open it in a modern web browser (example Chrome or Firefox):
    https://coronavirus.jhu.edu/map.html

    It renders everything using HTML5/Canvas and JavaScript. So if you need to send it to someone just send that link.

  10. Do you see we were in final ….

  11. It’s not clear to me who is at risk. Is it JHU or us?

  12. What I get from the article is “danger”
    … without clear, direct instructions of what to do or not do.

    Please update the article with actionable information.

    thanks,
    Lewis

  13. I only use it at work…

  14. Christian B Talbert

    Been using this live stream from Youtube. https://www.youtube.com/watch?v=qgylp3Td1Bw
    It appears to be accurate but lacks some of the features of the John Hopkins site

  15. Hey Brian, this guy did quite a good deep-dive analysis of this particular malware on YouTube, so take a look:
    https://www.youtube.com/watch?v=NZSoNLRnJjs

    He dug all the way to the php-info file that gave him the server, the user name and the actual IPs where its C2 is hosted. There’s also a stats page from the malware showing the actual infections. Here’s a screenshot:
    https://i.imgur.com/GLatRHf.png

    I’m wondering, having all this info, maybe you’ll have any luck getting hold of someone at CloudFlare with a hope of shutting down the C2 server for this malware?

  16. Please tell me the sign and how can you see people who are effected

  17. Gee, I haven’t seen this much confusion in years. Any networking folks online that straighten out the confusion here. The coders, as usual, have it all famboozled.

  18. Thank you Brian for alerting people to this. I suspected something was wrong beyond just being a bug and did a google search to inquire if their site had been compromised with malware. Your web page and article came up right away. It was informative and helpful. I appreciate it.
    Again, thank you for being out there!

    Robert

  19. If the java code is signed then there is a rogue CA out there somewhere that needs to be cleaned up. Who issued the signing cert to these criminals?

  20. Thanks for the map. It’s superb. Not loading correctly as of Fri 13 Mar 04.18 CET.

  21. Hai I really want to ask
    Is it the same website : this one
    https://gisanddata.maps.arcgis.com/apps/opsdashboard/index.html

    And this one

    https://www.arcgis.com/apps/opsdashboard/index.html#/bda7594740fd40299423467b48e9ecf6

    Because I used the first one before. Because when you open the first one it’s the same as the second one ( John Hopkins).

    Do you know if it’s the same website or not ?

    Thank you

  22. “Please use the link above to continue reading this posting.
    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ”

    And 100% of us did.

    There’s the problem!

    Sure, we trust this site, but most folks trust the Johns Hopkins site too. As long as ‘Click here’ is our default behavior we can never stop the malicious link problem…even amongst security-conscious users.

    • Maybe I need to go back and look at what I wrote, but I’m amazed at how many readers here seem to think I was saying the Johns Hopkins map itself was hacked. That’s not the case, as far as I know. The attackers are merely repackaging the code for the site in a portable java file (.jar) and then bundling that with malware and either putting it up on their own site or emailing it to people via spam.

  23. Well, this is the site from which i am tracking the live corona virus status :

    https://ncovidmap.com

  24. Hi,

    Why Italy and Iran were removed from the statistics ?

    • I would like to know as well, it seems like quite a few countries have been removed: Italy, Iran, South Korea, Spain, Germany, Cruise Ship, Japan, Denmark, Sweden….the list goes on. Looks like about 30 are missing. Will they be restored?

  25. This may be the first Krebs article that I can remember, where the focus of the comments is on finding a working/updated map, rather than concern about the malware that may be injected by some of these maps.

    It truly shows the hysteria surrounding COVID-19, and why scams like these can be so successful.

    • Kenny Blankenship

      100% agreed. Maybe they should start covering the common cold and flu in the media as much as they have with COVID-19? I honestly think this mass hysteria is absolutely insane. I get that we don’t know a lot yet, but that’s the point: we don’t know; stop panicking. People are acting like it’s Armageddon.

      According to that map (https://coronavirus.jhu.edu/map.html) there are 67,786 confirmed cases in the most affected area — Hubei, China. A 3 second Google search found that there are 58.5 million people that live in Hubei. Maybe I’m crazy, but 0.12% of the total population in the most affected area seems like no reason to shut down schools, sporting events, and conferences in the United States.

  26. Why is Korea off the map?

  27. Yes, the total number of cases is way down because Italy, South Korea, Iran, Germany, etc. have been removed. Any news on why this is happening. This map was my go to for accurate information.

    • Data seems to have been restored.

    • I have started taking screenshots of the JH map.

      Canada is missing from the list too (yesterday had 117 cases).

      Spain has seen almost a doubling of cases, while US cases have DROPPED, from 1663 yesterday (at 7:44 pm EDT) to 1268 today (at 11:53 am EDT).

      An interesting article here about the pandemic scenario CSIS ran last fall (coronavirus no less!).

      https://www.politico.com/news/magazine/2020/03/07/coronavirus-epidemic-prediction-policy-advice-121172

      Take away points:
      1) travel bans were not effective in preventing disease spread, and only caused economic hardship, which made things worse, and
      2) mis-information/dis-information was the hardest thing to fight, and did the most damage to efforts to control the pandemic

  28. The data was around 1.7k in the U.S now it is 1.2k and california’s data isn’t on their plus other states.

  29. Map and stats designed by 17 year old; updated every minute.
    https://ncov2019.live/data