Authored by: Malwarebytes Threat Intelligence Team
The number of scams, threats, and malware campaigns taking advantage of public concern over the coronavirus is increasing each day. As a result, we’ve been actively monitoring emails within our spam honeypot to flag such threats and make sure our users are protected.
Yesterday, we observed a phishing campaign similar to malspam previously discovered by MalwareHunterTeam, which impersonates the World Health Organization (WHO) and promises the latest on “corona-virus.” Right off the bat, the incorrect use of a hyphen in “coronavirus” in the subject line could tip off users with a critical eye for grammar. However, since WHO are often touted as a trustworthy and authoritative resource, including by our own blog, many will be tempted to open the email.
In this particular campaign, threat actors use a fake e-book as a lure, claiming the “My Health E-book” includes complete research on the global pandemic, as well as guidance on how to protect children and businesses.
The criminals behind this scheme try to trick victims into opening the attachment, contained in a zip file, by offering teaser content within the body of the email, including:
Guidance to protect children and business centre;
This guidance provides critical considerations and practical checklists to keep Kids and business centre safe. It also advises national and local authorities on how to adapt and implement emergency plans for educational facilities.
Critical preparedness, readiness and response actions for COVID-19;
WHO has defined four transmission scenarios for COVID-19. My Health E-book describes the preparedness, readiness and response actions for each transmission scenario.
The email content goes on to tell readers that they can download and access the e-book from Windows computers only.
Instead, as soon as they execute the file inside the MyHealth-Ebook.zip archive, malware will be downloaded onto their computers. As seen in the previous wave of spam, the malicious code is for a downloader called GuLoader.
GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data. Stolen data is sent back to a command and control server maintained by the threat actors.
While the threat actors are improving on the campaign’s sophistication by building reputable-sounding content within the body of the email, a closer examination reveals small grammatical errors, such as:
You are now receiving this email because your life count as everyone lives count.
This combined with other minor formatting and grammar mistakes, as well as a mix-and-match selection of fonts make this clever phishing scheme, upon closer examination, a dud. Still, many have fallen for far more obvious ploys.
With a huge swatch of the population now confined to their homes but working remotely, the risk of infecting a highly-distributed network is increasing. That’s why it’s more important than ever to use a discerning eye when opening work or personal emails, as employee negligence is one of the top indicators for successful cyberattack/data breach.