Solarquest

Moderator
Verified
Staff member
Malware Hunter
Security researchers have discovered coronavirus-themed malware created to destroy users' computers.

With the coronavirus (COVID-19) pandemic raging all over the globe, some malware authors have developed malware that destroys infected systems, either by wiping files or rewriting a computer's master boot record (MBR).

With help from the infosec community, ZDNet has identified at least five malware strains, some distributed in the wild, while others appear to have been created only as tests or jokes.

The common theme among all four samples is that they use a coronavirus-theme and they're geared towards destruction, rather than financial gain.

MBR-rewriting malware
Of the four malware samples found by security researchers this past month, the most advanced were the two samples that rewrote MBR sectors.

...
...
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
Users can eventually regain access to their computers, but they'll need special apps that can be used to recover and rebuild the MBR to a working state.
The 2nd strain is a scarily growing trend in the wild. Having a ransomware-like activity as a front and silently stealing sensitive information in the background... the user is made to eventually believe that the sole purpose of the attack was trashing their systems.

As a home user or in companies, standard user accounts should be the preferred one and unknown/uninitiated prompts be discarded to reduce the likelihood of such attacks. A major problem in industries should be dealt well, besides mock runs - cracking down on spear phishing that employees fall for.
Also, the management at corporates and hospitals should realize the need for running the latest OS, keeping them updated ... and then the technical teams being able to take the advantage of using UEFI+GPT (with SecureBoot enabled) to make such prevalent MBR re-writing malware insignificant. Perhaps GPT targeting malware won't be very far either.
The governments and their IT ministries should be conscious and insist on training efforts / up-to-date education for teams at vital services across the country. I've seen some of them issuing cybersecurity standards and best practices on their sites.
 
Last edited:

Gandalf_The_Grey

Level 38
Verified
Trusted
Content Creator
The original blog posting from the SonicWall Capture Labs Threat Research team:
SonicWall Capture Labs provides protection against this threat via the following signature:
  • GAV: KillMBR.Corn_A (Trojan)
Indicators Of Compromise (IOC):
  • DFBCCE38214FDDE0B8C80771CFDEC499FC086735C8E7E25293E7292FC7993B4C
VirusTotal: