What Is It?

Recently BleepingComputer reported on a number of new variants of MBRLocker malware, which have been sourced to a tool that was made available via YouTube and Discord. At least one of these used the COVID-19 pandemic as a lure. Due to the tool’s ease of use, the creators of these variants are believed to be “script kiddies” who are confined and looking for ways to “entertain” themselves.

The term “script kiddies” was long ago coined to refer to individuals who lacked the technical skills and understanding to develop their own malicious code and instead made use of existing malware. Often these individuals are young, hence the term.

The installer for the COVID-19 variant of MBRLoader uses the filename “COVID-19.exe” and makes coronavirus references including extracting itself to a “COVID-19” directory in the root directory. Once installed, it configures itself to start on boot up and restarts the system. On reboot an image file showing a rendering of the coronavirus itself along with text that states, “coronavirus has infected your PC!” Security researchers found that the malware makes a backup copy of the current Master Boot Record (MBR) and then overwrites the Windows-based device’s MBR with a custom version. The device then reboots again with a new MBR displaying a screen stating, “Your Computer Has Been Trashed.” On the surface, this statement appears to be true. Thankfully, the reality isn’t so bad.

Reverse engineering performed by researchers at Avast found a built-in backdoor that can easily revert the system back to its original MBR. The backdoor is activated by pressing the CTRL, ALT and ESC keys at the same time. The backdoor is a case of simple if you know how, you can easily fix it. For victims unaware of this, particularly with the current global stresses, being unable to boot into their Windows system (personal or work machines) represents a significant potential for disruption.

Numerous variants have been identified, all using different MBR screens and messages, including popular memes. It is believed that, in general, these variants are being distributed privately, however it is entirely possible they will be used maliciously in public distribution. As such, it would be prudent to keep the backdoor key sequence in mind in case you or your users are infected with MBRLocker.

How Does It Propagate?

While the distribution mechanism is not currently known, it would likely utilize social engineering lures including references to the coronavirus pandemic. The malware does not contain the necessary code to self-propagate.

When/How Did BluVector Detect It?

Seven samples of these MBRLocker variants were listed and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average 54 months prior to release.