CoViper locking down computers during lockdown

CoViper is a new wiper malware family taking advantage of the COVID-19 crisis. Based on what we discovered during our analysis, we have reason to believe that it is attracting victims by masquerading as a file related to the coronavirus. The wiper breaks an infected computer’s boot operation, by rewriting the Master Boot Record (MBR) located on the computer’s disk. The MBR contains valuable information about how the OS should be booted on the PC. If the MBR is damaged, the PC will most likely remain non-functional, because it cannot be booted as usual. A skilled user could reinstall their MBR to recover their PC and files, or use other bootable media devices.

This particular malware family is sometimes also called the “MBR wiper”, or even “MBR locker”. MBR lockers are often used in combination with ransomware where the ransom note is displayed to the victim. In this case, however, the MBR is simply destroyed; no ransom is demanded. It’s possible that CoViper could be an early version of malware which will later turn into ransomware, as we will describe further down in the post.

Analysis

CoViper is distributed as an installer written in PureBasic, with all interesting files packed as resources. CoViper is composed of several binaries and scripts. These files are dropped into the computer’s temporary folder (%TEMP%, usually the absolute path is C:\Users\<username>\AppData\Local\Temp\), created using the GetTempFileNameA API function.

We will describe the purpose of these files later on. As a brief overview, here’s a short summary of the files CoViper drops into the temp folder:

  • coronavirus.bat – a stager that installs the malware and secures its persistence
  • end.exe – a wiper written in Delphi. Its purpose is to rewrite the MBR, effectively preventing the PC from booting normally
  • mainWindow.exe – launches a GUI with an image of the (corona)virus
  • run.exe – a binary ensuring persistence, starting mainWindow.exe process. This is performed by an intermediate script called run.bat
  • Update.vbs – currently a non-functional (not yet fully implemented) script, presumably designed to update the malware to a newer version
  • cursor.cur – a cursor file which is set as a new cursor’s appearance
  • wallpaper.jpg – a black wallpaper, set as the default desktop background on the victims’ PC

The Installation – coronavirus.bat

This simple coronavirus.bat script is used to install the malware onto the victim’s computer. The script also copies all the dropped files from the temporary folder into a new, hidden folder, called COVID-19, in the user’s home directory. Furthermore, the script changes registry keys to ensure persistence on the system, and restarts the system with a five second delay once the script is finished running. As we can see from the code below, the restart will effectively execute three files: Update.vbs, run.exe, and end.exe.

Note that the script is a little verbose, informing the user that the “coronavirus Installer” is working and after the script finishes, the “coronavirus sucessfully installed” (not our typo) and “Your computer will restart in 5 seconds to finish the installation :)” is shown as well. While adding a smiley may be used to ease the pain of what’s to come, it’s a little too much for our liking.

The contents of the coronavirus.bat script can be found below:

In addition to the persistence and disabling the UAC by modifying the EnableLUA registry key, the malware also prevents the user from starting the Task Manager, which will become “handy” in the next stage, because the user will lose the ability to kill the malware process. However, the Task Manager is the only tool it disables, so using e.g. the Process Explorer would still be possible.

The coronavirus.bat script also changes the appearance of the user’s mouse cursor and changes the desktop wallpaper to black. It prevents the user from changing the wallpaper to any other image (unless the user changes the registry entry back again).

Screen showing coronavirus.bat was successfully installed

First Reboot

Let’s now focus on what the other scripts and binaries do after the first reboot.

Update.vbs

We suspect the Update.vbs VisualBasic script is unfinished and will probably serve as an update mechanism for future versions of CoViper. Right now, the script only contains two lines of code, effectively doing nothing:

In other words, it waits two minutes and then displays a message which tells the user to contact their administrator or fix their internet connection. In fact, this only means that the update mechanism has not been implemented yet.

run.exe

The run.exe binary is an UPX packed file. Unpacking the file reveals that it is almost the same as the initial PureBasic installer we got our hands on. The difference is that the file doesn’t contain scripts and binaries that were previously present in the binary and dropped onto the disk afterwards. Instead, it executes a run.bat script which performs several additional operations on the victims’ system.

The script ensures the malware’s persistence once again (the whole list of changed registry keys can be found at the end of this blogspot in the IoC section). There is no difference between the persistence in this bat script and the coronavirus.bat script, but there is a difference in the infinite run loop which repeatedly executes the mainWindow.exe binary every time it is closed by the user. As mentioned before, the user cannot use Task Manager to kill this process, making it rather annoying.

The infinite run loop present in the run.bat script can be found below:

mainWindow.exe

mainWindow.exe is a binary written in VisualBasic. It has no apparent purpose other than to annoy the user. A window with an image of the (corona)virus is displayed. Also, two buttons are available to the user, “Help” and “Remove virus”. The help button displays a rather “helpful” text informing the user not to “WAST HIS TIME” (again the typo is included in the program) and that the computer is infected with the “coronavirus” and it cannot be stopped. The “Remove virus” button’s functionality is not currently implemented. It is unclear at this stage whether the malware will possibly become ransomware in the future, instructing the user to pay up by offering a list of payment methods after clicking this button.

mainWindow.exe: Help button is rather helpful

end.exe

With such a characteristic name, it’s no surprise that “The End” is near and the malicious process is almost finished. The end.exe is truly the last stage of CoViper and it holds the wiper’s core functionality. It is written in Borland Delphi.

The purpose of this process is to rewrite the infected computer’s MBR with the attacker’s own code. This results in a non-functional booting mechanism, leading to the inability to start the PC properly and boot the system.

However, we found something interesting in the assembly. That is, before the MBR is replaced, its backup is created. This would indicate that some kind of a failsafe could be implemented further in the code.

The backup is written after the new MBR, i.e. starting at 0x200 byte offset. Furthermore, we can see that after the backup, some interesting memory bytes (strings) are copied as well, at the 0x400 offset.

The result can be illustrated with this image:

An illustration of the MBR data structure, created by the malware

Instead of a standard MBR, this code is inserted:

Despite the code being short, it is enough to break the regular booting mechanism (a full MBR dump can be downloaded here). This code also prints two strings on the screen (see picture below in the Second Reboot section). As we suspected from the memory copy of strings above, the first string is the author’s credential signature:
“Created By Angel Castillo. Your Computer Has Been Trashed.”
The second is a Discord server where the victim can reach the author:
Discord: Windows Vista#3294

After the execution of the end.exe, no other action is performed. The user is left helpless and the final act of the tragedy is the user’s final performance.

Second Reboot

The Task Manager is a “task managing” tool that most users are familiar with, and the victim most likely cannot close the mainWindow.exe process without it. As we all know, the obvious solution for any IT problem is to turn the device off and on again. This will, however, “kill” the victim’s computer, making it unusable, unless the victim is tech savvy and can reinstall the MBR.

Upon restarting the PC, this message is displayed to the victim:

A boot screen with the modified MBR

The Failsafe

After further analysis of the MBR, we have good news! As we suspected, the author did in fact implement a failsafe to the MBR code. We suppose this is implemented in case the malware author accidentally executed the malware on their own PC and/or in case of a request for advice (on the aforementioned Discord server), for example while demanding ransom. This is, however, only a speculation.

From this MBR assembly, we can see that the program waits for an input. This expected input is in fact CTRL+ALT+ESC. After this key combination, the MBR is replaced with the original one (from the backup performed by end.exe) and the PC can be restarted and booted normally.

Keep in mind that after the restart, the malware is executed once again (i.e. the end.exe binary). Thus, users should at least first remove the autorun settings, so the whole scenario won’t repeat itself.

Further Investigation

As we could see in the previous image, the author of CoViper left a message for us. The aforementioned messages leave us a few clues — the author’s pseudonym and a Discord server that was still online at the time of writing.

Furthermore, we would like to mention that while investigating CoViper, it is clear that this malware was actually generated by a custom tool publicly available on the Internet, for free. Because we have come to a conclusion that the author of this tool is not actually the author of CoViper itself, we will not disclose his name. We will also not disclose the tools’s name so that we don’t bring more attention to it. For further information regarding this topic and our investigation, you can contact us any time at @AvastThreatLabs on Twitter.

Indicators of Compromise (IoC)

HashName
4FD9B85EEC0B49548C462ACB9EC831A0728C0EF9E3DE70E772755834E38AA3B3 coronavirus.bat
C3F11936FE43D62982160A876CC000F906CB34BB589F4E76E54D0A5589B2FDB9end.exe
B780E24E14885C6AB836AAE84747AA0D975017F5FC5B7F031D51C7469793EABEmainWindow.exe
C46C3D2BEA1E42B628D6988063D247918F3F8B69B5A1C376028A2A0CADD53986run.exe
A1A8D79508173CF16353E31A236D4A211BDCEDEF53791ACCE3CFBA600B51AAECUpdate.vbs
FE22DD2588666974CAE5B5BBDE2D763AFBD94BCCF72D350EC4E801F9354D103Drun.exe unpacked
DF1F9777FE6BEDE9871E331C76286BAB82DA361B59E44D07C6D977319522BA91run.bat
13C4423ED872E71990E703A21174847AB58DEC49501B186709B77B772CEEAB52cursor.cur
4A17F58A8BF2B26ECE23B4D553D46B72E0CDA5E8668458A80CE8FE4E6D90C42Dwallpaper.jpg
7AE5E2BE872510A0E2C01BCF61C2E2FB1E680CD9E54891D3751D41F53AC24F84New MBR
Changed registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v disabletaskmgr /t REG_DWORD /d 1 /f
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v wallpaper /t REG_SZ /d %homedrive%\COVID-19\wallpaper.jpg /f
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
HKCU\Control Panel\Cursors /v Arrow /t REG_SZ /d %homedrive%\COVID-19\cursor.cur /f
HKCU\Control Panel\Cursors /v AppStarting /t REG_SZ /d %homedrive%\COVID-19\cursor.cur /f
HKCU\Control Panel\Cursors /v Hand /t REG_SZ /d %homedrive%\COVID-19\cursor.cur /f
HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v CheckForUpdates /t REG_SZ /d %homedrive%\COVID-19\Update.vbs /f
HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.exe /t REG_SZ /d %homedrive%\COVID-19\run.exe /f
HKLM\software\Microsoft\Windows\CurrentVersion\Run /v GoodbyePC! /t REG_SZ /d %homedrive%\COVID-19\end.exe /f
Share:XFacebook

Menu