BlackBerry Protect vs. CoViper Malware
As it tends to happen whenever society goes through a major event, cybercriminals have recently been using COVID-19 as an opportunity to lure victims into phishing campaigns by impersonating the Centers for Disease Control and Prevention (CDC) or similarly the World Health Organization (WHO), with the end-goal of stealing users’ personal information.
More recently, we have observed malware attacks targeting multiple platforms such as the traditional Windows® OS, but also Android™ and Linux® operating systems in a variety of forms such as Trojans, ransomware, and wipers.
Similar to other threats we have seen in the past such as MBRKiller, the coronavirus-themed CoViper malware overwrites the Master Boot Record (MBR) of the victim, leaving the computer useless from an operating system standpoint:
VIDEO: Watch BlackBerry® Protect in action against CoViper malware
Upon execution on a machine, CoViper drops three PE executables, one vbs script, two Windows batch scripts, one icon image, and one backscreen image to a specific folder as follows:
MBR Wiper module
Create coronavirus window module
Persistent launcher of mainWindow.exe with run.bat
At first, this file executes ‘coronavirus.bat.’ This script is used for setting up persistence of these files. It disables the Windows Task Manager tool and User Access Control (UAC) function. It then executes a first reboot:
Figure 1: Coronavirus.bat executing
After the first reboot, it executes the run.exe, end.exe, mainWindow.exe and Update.vbs files previously dropped. When the victim logs back into the operating system, CoViper modifies the wallpaper to a black background and executes ‘mainWindow.exe’ which displays a message announcing that the computer has been ‘infected by coronavirus’:
Figure 2: Ransom note by CoViper
After the second reboot, the MBR has been broken by end.exe, and the victim is unable to use their computer:
Figure 3: Gray screen of death showing part 2 of ransom note
In addition, the update function in Update.vbs seems to be under construction. It has a sleep function but not much else, it doesn’t update, and there is no ransomware message or contact address for receiving money or virtual coin in this application. This could be included in a follow up version.
BlackBerry Defeats CoViper Malware
The BlackBerry Predictive Advantage is able to prevent this threat from executing five years before it existed. The conviction is made with no additional intervention, no updates and no need for Internet connectivity, while also maintaining our well-recognized low friction on system resources.