March 12, 2020
135 Comments

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu.

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware.

Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate.

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”

The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java.

“Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.”

It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware.

As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know.

A tip of the hat to @holdsecurity for a heads up about this malware offering.


135 thoughts on “Live Coronavirus Map Used to Spread Malware

    1. BJ

      Johns Hopkins University
      @JohnsHopkins
      ·
      14m
      We are aware of an issue with the COVID-19 dashboard not loading properly, and
      @JHUSystems
      is actively working to resolve the issue. We will tweet again once they have confirmed the site is back up and running.

      1. Julia

        BJ,

        thank you for the update and thank you for John Hopkins for providing the COVID-19 map!

        Can the map show the counties again or is the getting beyond the volume capacity of the maps? Knowing which parts of the state are effected is extremely useful information vs just having the number of cases in the state.

        Thank you again for the update,
        Julia

        1. Trudi White

          Hi Julia, I found this story map with ESRI (ArcMaps). It is really good if you want to look at the data by county.

          https://coronavirus-disasterresponse.hub.arcgis.com/app/557dcd77ad504d5faec7e2c5506c86e0

          I am looking for Data on Demographics (Age specifically) for US only. I realize other countries may not be held to the same standards, but I find it interesting that it isn’t hitting school age kids so much or is hitting them with less emphasis (so recovery is easier?) I just don’t know enough, hence the reason for my search. I wonder if the anyone has looked at that population in terms of Immunizations and/or a combination of several mandatory immunizations. Seems like an easy thing to track if hospitals are collecting and disseminating. Could it be possible to look at any combination of “ingredients” of childhood required shots to get in to school? I’m not a doctor or an intern, I’m just data analyst (junkie)

      2. rosie

        Thank you. I too have been following the updated maps and wondered why map was not current.

      3. David

        Any news about fixing the map? It is coming up 5 hours since your original post and the map has still not updated since this morning.

        Like Julia, I would like to see the counties/cities info breakdown again – I noticed this data disappeared (in several steps) earlier this week. (Please tell me it was not a political request!!)

        Also, it might avoid some confusion if you switched the time displayed on the map to UCT (formerly known as GMT).

        Thanks for creating the map!

      4. David

        BJ – it has been over 5 hours since your original post – any news about fixing the map? It still shows that it was updated this morning at 9:33 (EDT), but not since.

        It might be clearer if you used UCT for the time (formerly known as GMT).

        And as Julia says, any chance you can show the county/city names again, rather than just state and country? I saw this disappear in stages earlier this week (Please tell me it was not a political request!)

        Thanks for the map!

      5. Abe

        I find it highly suspicious that the map from JHU has become “infected”. Perhaps it’s the Wuhan virus that is affecting it? :-), or maybe the Government is trying to reduce panic by not allowing users to see the map anymore.

      6. David

        BJ, the map is working now (about 8pm EDT) and shows it was updated at 7:44 pm EDT. Almost. The Italian and (I think) the Chinese numbers have not changed since yesterday.

        1. John Cunliffe

          Nope it is not working its 9:20pm edt and all it says that this or that panel is not configured.

      7. Mike

        I think Trump and CIA stopped the page to prevent further outbresk

    2. Jason

      It started doing this to me in Firefox today but the site loads fine in Chrome, it had been working fine in Firefox before so not sure what happened.

  2. Joe

    It is Johns Hopkins University. Note the “Johns”.

  3. Richard

    Brian, reminds me how bad actors piggybacked on things like the aftermath of the tsunami in Indonesia, Michael Jackson’s death, fake IKEA bill notices and others. This is quite an evolution in that effort. I tell my students as long as there is a significant risk of threat actors using current events to gain user trust (and a myriad of other ways to compromise users), there will be work in the system/network security realm. Thanks for the great article.

      2. John D Brown

        No, dumb dumb. The map actually is currently down.

          1. Jennifer

            It is not “working fine” – the last update time is 9:33am and it is usually updated at least once per hour, if not more often (sometimes every 15 minutes).

          2. Ryan

            The map works but the issue is that it’s not updated since 8:33 this morning. So far, it’s been practically real-time that you can refresh and then a few minutes or an hour later refresh again to see the rate of change, etc.

          3. Nathan Norris

            This link seems to shed light. I found it by typing in the complete url of concern in a search engine. ESRI.com seemed to explain it very well.

          4. abe

            I’m not sure what you’ve been smoking, but that map does not update anymore.

          6. Dan

            Does this threat apply to android phones as well?

          7. Zach Morgan

            I sent the url: https://www.arcgis.com/apps/opsdashboard/index.html#/bda7594740fd40299423467b48e9ecf6

            To many of my friends. A few of them were crapping themselves after reading some vague alerts about this scam and texting me late into the night. I verified the site through the ESRI proprietary ArcGIS software page, and also believe the same legit site is hosted on that domain as well.

            Mr. Krebs, can you confirm this is also a legit URL to access the data safely? Thank you.

  8. JCitizen

    Thankfully I haven’t had Java installed for years – I feel sorry for folks that need it for application functionality.

  10. Dennis

    Java!? Who’s using Java these days? Uninstall it as soon as possible. That by itself is a disease vector. In my case this original map doesn’t need any Java If you open it in a modern web browser (example Chrome or Firefox):
    https://coronavirus.jhu.edu/map.html

    It renders everything using HTML5/Canvas and JavaScript. So if you need to send it to someone just send that link.

  13. Lewis

    What I get from the article is “danger”
    … without clear, direct instructions of what to do or not do.

    Please update the article with actionable information.

    thanks,
    Lewis

    1. Phil

      Very last sentence, states clearly enough what to do or not do

  16. Dennis

    Hey Brian, this guy did quite a good deep-dive analysis of this particular malware on YouTube, so take a look:
    https://www.youtube.com/watch?v=NZSoNLRnJjs

    He dug all the way to the php-info file that gave him the server, the user name and the actual IPs where its C2 is hosted. There’s also a stats page from the malware showing the actual infections. Here’s a screenshot:
    https://i.imgur.com/GLatRHf.png

    I’m wondering, having all this info, maybe you’ll have any luck getting hold of someone at CloudFlare with a hope of shutting down the C2 server for this malware?

  18. Rich Goeken

    Gee, I haven’t seen this much confusion in years. Any networking folks online that straighten out the confusion here. The coders, as usual, have it all famboozled.

  19. Robert

    Thank you Brian for alerting people to this. I suspected something was wrong beyond just being a bug and did a google search to inquire if their site had been compromised with malware. Your web page and article came up right away. It was informative and helpful. I appreciate it.
    Again, thank you for being out there!

    Robert

  20. Hank

    If the java code is signed then there is a rogue CA out there somewhere that needs to be cleaned up. Who issued the signing cert to these criminals?

  23. Ed Manley

    “Please use the link above to continue reading this posting.
    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ”

    And 100% of us did.

    There’s the problem!

    Sure, we trust this site, but most folks trust the Johns Hopkins site too. As long as ‘Click here’ is our default behavior we can never stop the malicious link problem…even amongst security-conscious users.

    1. BrianKrebs Post author

      Maybe I need to go back and look at what I wrote, but I’m amazed at how many readers here seem to think I was saying the Johns Hopkins map itself was hacked. That’s not the case, as far as I know. The attackers are merely repackaging the code for the site in a portable java file (.jar) and then bundling that with malware and either putting it up on their own site or emailing it to people via spam.

  25. Hakan

    Hi,

    Why Italy and Iran were removed from the statistics ?

    1. Brandon

      I would like to know as well, it seems like quite a few countries have been removed: Italy, Iran, South Korea, Spain, Germany, Cruise Ship, Japan, Denmark, Sweden….the list goes on. Looks like about 30 are missing. Will they be restored?

  26. CW

    This may be the first Krebs article that I can remember, where the focus of the comments is on finding a working/updated map, rather than concern about the malware that may be injected by some of these maps.

    It truly shows the hysteria surrounding COVID-19, and why scams like these can be so successful.

    1. Kenny Blankenship

      100% agreed. Maybe they should start covering the common cold and flu in the media as much as they have with COVID-19? I honestly think this mass hysteria is absolutely insane. I get that we don’t know a lot yet, but that’s the point: we don’t know; stop panicking. People are acting like it’s Armageddon.

      According to that map (https://coronavirus.jhu.edu/map.html) there are 67,786 confirmed cases in the most affected area — Hubei, China. A 3 second Google search found that there are 58.5 million people that live in Hubei. Maybe I’m crazy, but 0.12% of the total population in the most affected area seems like no reason to shut down schools, sporting events, and conferences in the United States.

  28. Jennifer

    Yes, the total number of cases is way down because Italy, South Korea, Iran, Germany, etc. have been removed. Any news on why this is happening. This map was my go to for accurate information.

    2. David

      I have started taking screenshots of the JH map.

      Canada is missing from the list too (yesterday had 117 cases).

      Spain has seen almost a doubling of cases, while US cases have DROPPED, from 1663 yesterday (at 7:44 pm EDT) to 1268 today (at 11:53 am EDT).

      An interesting article here about the pandemic scenario CSIS ran last fall (coronavirus no less!).

      https://www.politico.com/news/magazine/2020/03/07/coronavirus-epidemic-prediction-policy-advice-121172

      Take away points:
      1) travel bans were not effective in preventing disease spread, and only caused economic hardship, which made things worse, and
      2) mis-information/dis-information was the hardest thing to fight, and did the most damage to efforts to control the pandemic

  29. Sarahi

    The data was around 1.7k in the U.S now it is 1.2k and california’s data isn’t on their plus other states.

        1. Mark

          As well as Australia. Hopefully they can get this sorted soon if they want to be taken seriously

Comments are closed.