“Corona Antivirus” Software is Distributing Malware Backdoor

Malware-As-A-Service On The Dark web!

Even though the whole world is now worrying about the outbreak of COVID-19, hackers never stop attacking. In the Internet era, cybercriminals will spend all of their effort to trap Internet users. The catastrophic spread of COVID-19 is now becoming an opportunity for them to spread malware or launch cyber attacks. This time it was a fake Windows antivirus called Corona Antivirus. A fake antivirus software, is distributing a malware payload which could infect the systems with the BlackNET RAT while adding it to a botnet, could be found in antivirus-covid19[.]site and corona-antivirus[.]com. The first site is now taken down and the other one is still active with altered contents and malicious links being taken off. If anyone would fall this, they would end up downloading an installer from antivirus-covid19[.]site/update.exe that will deploy the BlackNET malware onto their systems if launched. Fortunately, the link is now down.

The BlackNET RAT was rated as ‘skidware malware’ by the researchers because of the following reasons:

  • It can detect if there’s a running VM check on it.
  • It can sense the presence of commonly used analysis tools.
  • It comes with bot management features including restarting and shutting down an infected device, opening visible or hidden web pages, and uninstalling or updating the bot client.

Since BlackNET is programmed to add the infected device to a botnet, the actors can further take control of an infected system and use it for:

  • Launching DDoS attacks
  • Uploading files onto the compromised machine
  • Executing malicious scripts
  • Taking screenshots
  • Harvesting keystrokes using a built-in keylogger (also called LimeLogger)
  • Stealing bitcoin wallets
  • Harvesting browser cookies and passwords

Are you worried about the cybersecurity attacks may happen in remote working? LIFARS Remote Worker Cyber Resilience Service can help you solve the problems! Our Gap Analysis testing, as well as remediation guidance for your remote work cyberinfrastructure, can protect remote workers from cyber attacks. The following services from LIFARS are what you should consider for your remote workers. Each service includes a Summary Report of current posture along with remediation guidelines:

  1. Daily T.R.U.T.H: Daily Threat Hunt of client infrastructure; Detection of known threats and suspicious behavior; Monthly Depending on the size employee population.
  2. Quick Remote Access Penetration Test: External Testing of Remote Access Infrastructure in 2 Days
  3. Remote Worker Device Assumed Breach Test: Internal Testing what a threat actor can do if access to remote worker device is compromised; Security posture validation; Verification if one compromised remote worker means compromised infrastructure; Complete in 2-3 Days.
  4. Remote Vulnerability Access Audit: Audit overall remote infrastructure configuration of remote access infrastructure in 2 Days.
  5. Remote Worker Endpoint Protection: Deploy Fidelis or Carbon Black to Remote Endpoints for 30 Days for Free; Employ Daily monitoring for ENDPOINT ONLY; Monthly Depending on the size employee population.
  6. Remote Worker Workstation Hardening Guidelines: Review config of remote Workstation to understand current cyber strength; Prepare guidelines for the hardening of those devices; LIFARS could perform the hardening on demand; Complete in 1 day.



Contact LIFARS Immediately For

Remote Worker Cyber Resilience Service