Java-based malware found on digital Coronavirus maps

Hackers are replicating an interactive dashboard showing the global spread of the novel coronavirus and its associated disease COVID-19 – and infecting it with malware, according to Forbes.

The malicious dashboard has been appearing on several websites, as well as in spam emails. It uses a Java-based program called AZORult to steal passwords and other personal information.  

A close resemblance

The original dashboard was designed by a team at Johns Hopkins University to show positive tests for the coronavirus and deaths from COVID-19 in an easy-to-use, interactive map. The malware-filled replica was designed to have several of the same abilities as the original map, including interactive features and real-time information from the World Health Organization (WHO).

The fake dashboard first appeared on a Russian-language cybercrime forum, where a seller was offering it as a kit for hackers for $200, according to Krebs on Security. While the malicious dashboard utilizes AZORult, a program that has been known for about four years, the program's seller claimed that the dashboard would still be able to sidestep detectors on programs like Gmail. (So far it is unclear if this is always the case.)

The poster selling the malicious map also described the threat as being very simple to implement, Krebs on Security noted.

"[The] loader loads .jar files which has real working interactive Coronavirus real-time data map and a payload … [The] loader can predownload only [the] map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first," Krebs' post explained.

Malware that uses AZORult is capable of stealing large quantities of important data. The program works by creating an ID for each individual infected workstation, thus opening limited access that can eventually be expanded. This particular wave of malware has largely been performing credential theft by moving passwords into a temporary Windows folder.


This particular threat is not the only one that is designed to replicate Johns Hopkins University's interactive coronavirus map. According to Forbes, an unrelated butsimilar-looking threat contains ransomware that puts phones in lockdown until payment is made. It arrives in the form of an app, rather than as links in a phishing email.

Johns Hopkins University has put out a statement clarifying that their original map does not have any attached malware and is completely safe for use.

"We have contacted other resources about this issue and will continue to monitor it closely. The malicious executable was removed from its initial download location hosted on a malicious site (not managed by Esri or Johns Hopkins), but it may appear again," read the statement.

Preying on global fears

The issue of Coronavirus-themed malware comes as COVID-19 has made its presence felt all across the globe. The disease originated in the Wuhan province of China during the final days of 2019, but its presence has since been reported in 163 countries and territories, as well as on cruise ships on international waters. Almost 200,000 cases have been reported worldwide, leading to almost 8,000 confirmed deaths.

Coronavirus is able to spread very easily from person to person ,and so far seems to have a death rate significantly higher than a typical outbreak of the flu (to which it bears many similarities). As a result, many facets of daily life in heavily affected countries have shut down almost completely, with people who have potential symptoms encouraged to self-quarantine themselves for the safety of others. Over a short period of time, many American states and cities began closing schools, restaurants, bars, sports games, and other places and events where larger crowds are common.

The Centers for Disease Control and Prevention currently recommend hand washing and avoiding other people as much as possible, also known as social distancing, as the best measures to take to prevent the spread of the virus. 

With its global reach, high death rate and massive social and economic ramifications, it's no wonder that people want to gather as much information as possible about the COVID-19. Malware that takes advantage of global fears will most likely be a continued problem in the coming months.   

Terminal emulation that you can trust

This issue is also a prime example of the shortcomings of Java. The rise of Java-based malware that takes advantage of the current Coronavirus pandemic is hardly the first time the programming language's shortcomings have been exploited. While Java has been used as an essential building block for many programs, its common use means that hackers can easily find vulnerabilities in code. To access this particular threat, hackers had to have a Java code signing certificate or purchase one from the threat's original seller.

While this particular form of malware is accessed by clicking or downloading, organizations that use java for their essential software do put themselves at increased risk. Terminal emulation can offer a solution.   

Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary terminal emulation tool called the Inventu Flynet Viewer. This solution allows developers to craft reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers. All in all, the Inventu Flynet Viewer supports streamlined IT modernization and meets employer and staff expectations in a way that feels both familiar and simple. Contact us today or review our extensive product catalog to see how Inventu can optimize your infrastructure and also help you rid your servers and web clients of unsafe Java.