March 12, 2020
135 Comments

Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu.

In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware.

Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate.

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”

The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java.

“Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.”

It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware.

As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know.

A tip of the hat to @holdsecurity for a heads up about this malware offering.


135 thoughts on “Live Coronavirus Map Used to Spread Malware

    1. Tylor

      Whoa..rare to find someone who spells their name the same.

  2. Eric

    Hello,
    Looks like this is meant to harm Windows OS. Any chance it can infect mobile devices, macOS…etc…?

    1. Rob

      It’s Java – it could attack anything java enabled inc MacOS.
      Probably the only thing it can’t attack is iOS.

  3. Becky Petersen

    So if I have looked at the website but haven’t opened any suspicious emails will I get the malware? I have used that one that was linked but not downloaded anything.

    How do I check? Please give us helpful info and don’t just scare us.

    1. SeymourB

      If you looked at the official map on the official site you’re fine.

      If you looked at a copy of the map shared on facebook or wherever and it was hosted on some sketchy webserver AND you for some reason still have Java installed in 2020, then… maybe.

  4. Arda Sengun

    Could this be considered as a data concern on this map?

  5. Newman Paul

    What is going on with the updates???? this AM it was showing 1700 infected and now in the PM shows 1200???? do you hide the actual numbers or you have incompetent staff working on the stats and updates? I do not feel I can trust your updates….maybe the govt is pushing you to fudge the numbers ?

    1. generic user

      I noticed that it went from 1700 cases this morning to only 1268 since then with data completely missing for FL, GA, TX, CO, CA especially in regard to the deaths……all of a sudden the data for the FL & CA deaths is absent. WHAT IS GOING ON WITH THIS THING?

    2. Jamie Welsh

      I know! I’ve been freaking out about it all day! I said it must have been corrupted by someone, ie the white house.

      1. generic user

        The site now currently says:

        “The COVID-19 map is currently undergoing maintenance. Thank you for your patience.”

        It hasn’t been updated since before 1 pm.

    1. Mike Romero

      That link is the real one. It is the same link I have been using since it was first reported by the associated press.

    2. Somebody

      I opened that one as well. Also wondering if I’ve been compromised.

  7. Patrick Brouillette

    Its definitely a scary time, opportunists taking advantage of the situation at hand. A strong security infrastructure is important when things like this come about unexpectedly. Visit chisecuritysystems.com to learn more about how to defend against physical and electronic threats.

  8. PostToaster

    What’s even scarier is some of these comments.

  10. KAUSIKI DUTTA

    Thank you for the update and thank you for John Hopkins for providing the COVID-19 map.

    1. R

      No. That’s the actual link given out by Johns Hopkins from their own website. Everything else is a redirect.

  12. Ton024

    I would like to see a map where the number of illness cases is proportional to the number of inhabitants. These numbers say so little.
    And I would like to see a map comparing the number of new confirmed disease reports with the day(s) before. This gives you insight into the growth, leveling off or decline of the epidemic. If you then use colors with light red to dark red for increase, yellow for allmost equal and green for a decreasing trend, you will better see the effects of the measures in the country.

    1. Walter

      Hi, friend:

      You are commenting on an article related to the spread of malware via sites posting information about the metrics of the COVID-19 pandemic, and not an article about said metrics. Your complaints would be better suited at the website from which the map originates, https://coronavirus.jhu.edu/map.html .

      Regards,

      W

  13. Ton024

    It is said that the disease is fatal for people over 80 years old who are already sick. Then I would like to see that translated into a graphic presentation. A graph with the number of deaths per age. Where you distinguish in 2 groups. group A with serious health problems; Group B: Other. And this is presented in a stacked bar chart

  16. veronica

    Whoa..rare to find someone who spells their name the same.

  17. duran

    Could this be considered as a data concern on this map?

  18. Carlos Weidemeyer

    DON’T CLICK – TITLE BROWSE ONLY

    It profounds me that humanity still seems to disregard ensuring their sources have integrity before clicking. Like a bunch of sexed up drunkards looking for a warm body they hand over the keys to all their real & personal property to someone they don’t even know. Like the virus, it is EVERYWHERE!

    r/covidmapping is no different. Updated off a gaming communication platform known as discord. The application is used to share a google map for members vetted by discords email into the closed group. Once vetted any member can update the map and generate cyber news links from any country. If there are embedded viruses in the cyber news link it is due to the unchecked wiki style of contributors to the google map that have exceeded 800 members all updating pinpoints on a map with weblinks. The only security is to ask these mostly unproficient cyber-security members to abide by rules. There is no code created to validate the integrity of sites linked… Only code to update the pin to the shared google map automatically and they seem to have their hands full just trying to keep people from reporting duplicated deaths and positive testers from non-governmental sources.

  19. NickDanger

    In a related vein, I’ve noticed one amusing (if it weren’t so cynical) “meta” attempt at exploiting the coronavirus situation: in late Feb, I was spammed by a “cybersecurity” company called Checkpoint.com, with a warning… about malware being spread by coronavirus-themed spam.

  22. shimatho

    Thanks for excellent information I was searching for this

  23. pat

    Is this a malware site?
    nCoV2019.live COVID -19 dashboard
    Supposedly it was put together by a 17 year old resident of Seattle.

  26. Shiv AD

    Please use virustotal.com for checking if a URL is malware.

    Please do not click on hyper-links sent via email/ facebook etc. Always ask for the actual web address, use virustotal for any doubts whether the URL is safe or not and accordingly decide.

    Virustotal is used by popular firewalls
    such as Checkpoint, Fortinet hence it is recommended.

  27. Farooq Qammar

    To deal with the Current Pandemic, Just Don’t Panic;
    Take the precautions to stay safe:
    •Be Informed and Updated
    •Less Socialization
    •Wash hands frequently
    •Avoid Touching Eyes, Mouth and Nose
    •Use Masks but don’t Stockpile them

  28. Alessio

    Sad to see that concern around this issue is been taken advantage to spread malware.

Comments are closed.