Stay Safe Online – An Important Message from IT

Hello Pima JTED Community,

Summary

COVID-19 Internet Scams are circulating and multiplying quickly. Attackers worldwide are taking advantage of this pandemic and using the names of the Centers for Disease Control, World Health organization and other legitimate organizations to steal your information for financial gains.
 

JTED Tech Line: (520) 209-1569

We care about you and are here to help you! To assist you better during this crisis, we have established a new Tech Line and Tech Email Group where you can reach us directly at: 520-209-1569 or Tech@Pimajted.org with any technical questions. All members of the IT staff will be able to receive your email and voicemails when we can’t get to you. Please remember to leave us your name and a good call back number for us to call you back.
—————

A malicious website pretending to be the live map for Coronavirus COVID-19 Global Cases by Johns Hopkins University is circulating on the internet waiting for unwitting internet users to visit the website (corona-virus-map[dot]com). Visiting the website infects the user with the AZORult trojan, an information stealing program which can exfiltrate a variety of sensitive data. It is likely being spread via infected email attachments, malicious online advertisements, and social engineering. Furthermore, anyone searching the internet for a Coronavirus map and other information could unwittingly navigate to this malicious website.

As global awareness of a Coronavirus pandemic gradually gives way to full out panic, and as governments begin ramping up their efforts to combat the virus and protect its citizens, global news agencies find themselves racing to answer the public’s demand for accurate information about new Corona related infections, deaths, transmissions, etc.

This demand creates a vulnerability that malicious actors have quickly taken advantage of by spreading malware disguised as a “Coronavirus maps, Websites, Apps & Attachment information”. Reason Labs’ cybersecurity researcher, Shai Alfasi, found and analyzed this malware that had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser. Attackers can use this information for many other operations as well, such as selling it on the deep web or for gaining access to bank accounts or social media.

The new malware activates a strain of malicious software known as AZORult. AZORult is an information stealer and was first discovered in 2016. It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more. It can also download additional malware onto infected machines. AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. There is also a variant of the AZORult that creates a new, hidden administrator account on the infected machine in order to allow Remote Desktop Protocol (RDP) connections.

As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future.

If you have any questions about this communication please send me an email or if you have non-critical technical issues you can continue submitting those using our InfoHub ticket system. Please make sure that you continue to monitor your email for more communications.
 

Abel Vázquez

Director of Technology