These sites are instead loaded with malware, such as the BlackNET RAT. Once a computer is infected, it would be added to a botnet.
Two specific websites have been promoting the fake Corona Antivirus – covid19[.]site and corona-antivirus[.]com.
According to MalwareHunterTeam, one of the websites is still active but its contents have been changed. Apparently, the malicious links have been removed. Instead, a donation link has been added to support the scammer’s efforts. Security researchers say that no donations have been made so far.
What did the fake Corona Antivirus program website say?
“Download our AI Corona Antivirus for the best possible protection against the Corona COVID-19 virus. Our scientists from Harvard University have been working on a special AI development to combat the virus using a mobile phone app,” the website said. Another fake claim made by the cybercrooks is that they promise an update that will add VR sync capabilities to the bogus Coronavirus antivirus:
We analyse the corona virus in our laboratory to keep the app always up to date! Soon a corona antivirus VR synchronization will be implemented!
If any user gets tricked by these false promises, they would end up downloading an installer from this location: antivirus-covid19[.]site/update.exe. It seems that this link is currently down. However, while it was active it was deploying the BlackNET RAT malware onto victims’ systems.
More about BlackNET RAT
BlackNET is a remote access Trojan and it can add the infected host to a botnet that is in control of the cybercriminals. The malware is capable of launching DDoS attacks, uploading files onto the compromised machine; executing scripts, taking screenshots, harvesting keystrokes via a built-in keylogger known as LimeLogger, stealing Bitcoin wallets, and collecting browser cookies and passwords.
Other capabilities of the BlackNET RAT include being able to detect counter analysis within a virtual machine, and checking for security researchers’ analysis tools. It is also equipped with bot management features such as restarting and shutting down infected hosts, uninstalling and updating the bot client, as well as opening both visible and hidden web pages, the researchers discovered.
Back in January, a botnet-driven spam campaign was spreading malicious files masqueraded as documents with video instructions on how to protect against the coronavirus. Instead of learning anything useful, the potential victim would get a computer infection ranging from Trojans to worms. A particular malware that was being delivered to potential victims was Emotet.