Data-Stealing FormBook Malware Preys on Coronavirus Fears
Another email campaign pretending to be Coronavirus (COVID-19) information from the World Health Organization (WHO) is distributing a malware downloader that installs the FormBook information-stealing Trojan.
With the fears of Coronavirus in full swing, malware distributors are preying on these fears by sending emails that pretend to be the latest updates on the Coronavirus disease outbreak.
These emails contain a ZIP file attachment and state it's from the 'World Health Organization' with information about the latest "Coronavirus Updates". When viewing this email in a mail client, they do not display very well as seen below.
The emails will, though, prompt you to view the email in a browser, which properly displays the content of the email.
This content pretends to be latest updates on the Coronavirus outbreak and lists various stats, contains an email of corona-virus@caramail.com that is used for further phishing purposes, and prompts you to view the attached 'MY-HEALTH.PDF' file for 'the simplest and fastest ways to take of your health and protect others'.
This ZIP file attachment contains an executable called MyHealth.exe, which the malware distributors are trying to pass off as the MyHealth.PDF file they mention in the email. They are not, though, doing a convincing job as they use a generic executable icon.
According to MalwareHunterTeam who discovered this spam campaign, the executable is GuLoader, which is a malware downloader.
Once executed, GuLoader will download an encrypted file from https://drive.google.com, decrypt it, and then inject the malware into the legitimate Windows wininit.exe process to evade detection.
The downloaded malware is the FormBook information-stealing Trojan, which FireEye states will attempt to steal the contents of the Windows clipboard, log what you type into the keyboard, and steal data while you are browsing the web.
"The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords."
Using this malware, attackers can steal banking credentials, web site login credentials, cookies that allow them to logon to sites as the victim, and the contents of the Windows clipboard.
This means that those who are infected with this malware face significant risk to identity theft, online banking theft, and the compromise of other accounts that they normally log into.
If you have recently received an email claiming to be from the WHO about Coronavirus and it contains an attachment that you opened, it is strongly advised that you scan your computer with antivirus software as soon as possible.
Protecting yourself from Coronavirus scams
When receiving emails, you should never open any attachments unless you confirm the sender.
This means that you should call the sender to confirm they sent the email or at least discuss the attached email with your network administrator to determine if the attachment is safe.
The World Health Organization has also issued an alert to be on the lookout for criminals trying to impersonate them and that they will:
- never ask you to login to view safety information
- never email attachments you didnât ask for
- never ask you to visit a link outside of www.who.intÂ
- never charge money to apply for a job, register for a conference, or reserve a hotel
- never conduct lotteries or offer prizes, grants, certificates or funding through email
- never ask you to donate directly to emergency response plans or funding appeals.
If you receive an email claiming to be from the WHO and it has an attachment, simply mark it as spam and delete it.
Gloss