March 18, 2020
What's the issue?
We recently warned about the exploitation of the global COVID-19 pandemic in the form of malicious health advisory emails. In that alert we referred to the Johns Hopkins Coronavirus COVID-19 map. It is now reported that it is being indirectly exploited.
Numerous legitimate organizations around the world and hundreds of millions of citizens access the map to monitor the state of the COVID-19 pandemic. According to Johns Hopkins there have been "1.2 billion daily [feature] requests in early March. A "feature request" represents the number of times visitors have accessed the underlying data while visiting the dashboard. Since Feb 19, the dashboard has been visited from nearly every country in the world, including North Korea, Iran and Cuba".
While access to the correct map directly is not a risk, some threat actors have used the ability to embed the map in their website as a lure to their malicious site. In other cases, they have re-created a similar looking map. Hackers are targeting people who are searching for this map and directing them to a malicious version of the map to trick them to download malware on to their device. The malicious file is usually named as "Corona-virus-Map.com.exe" and inside contains a malware called AZORult. It is an information stealing malware targeting the usernames, passwords, credit card information, and other information that is saved on the victims Internet browser.
The Johns Hopkins Coronavirus COVID-19 Global Cases map itself is not malicious and does not contain malware. ESRI, the provider of geographic information system for the John Hopkins map, has reassured that the real online map "does NOT contain any malware (and NEVER contained malware)."
What should I do?
To access the map with certainty that you are on the legitimate site, search for Johns Hopkins University COVID-19 map and ensure you are only accessing and bookmarking it directly from their site. This is the legitimate web address https://coronavirus.jhu.edu/map.html. If you land on a version of the Johns Hopkins map and it asks you to download anything, do NOT download and immediately close the browser.
As added protection, protect your computer:
- Ensure you have a fully patched computer, operating system, office suite, web browser, utility apps like Adobe and Java, and a powerful and up-to-date anti-malware suite
- Be aware of the threat and train your team not to trust any sites that offer the map that are unknown to them or unverifiable, and do not click on any links or download any software you cannot confirm as legitimate
In the interests of public safety, please feel free to share this NPC Security Alert at will.