On March 7th, an ongoing Coronavirus themed phishing attack was identified. This attack impersonates the World Health Organization (WHO) in order to trick victims to install “Formbook” (information stealing malware) on their machines.
The malicious messages appear as if they are sent by WHO, with updates regarding the Coronavirus outbreak, which makes the phishing messages look legitimate.
This attack was brought to our attention by Shai Zalaluchin, CTO, Cybrella, a Boston-based consulting company which specializes in advanced Cybersecurity solutions including risk management, penetration testing, yber training, and Cyber Intelligence
“While it is difficult for any of us to believe,” Zalaluchin said, “there are those bad actors who try to leverage a global health crisis, a pandemic, to attack systems and steal data or disable those systems. We are committed to informing as many people as possible, as quickly as possible, about this threat.”
Here’s how the attack works:
1. The victim receives an email message (which seems to be from the WHO) with a “.zip”.
2. Within the “.zip” file, there is an additional “.exe” file called “MyHealth.exe”, which is referenced in the phishing email (as “MY-HEALTH.PDF”), tricking the user into executing the “.exe” file without paying attention to the fact it is not a “.pdf” file (as mentioned in the email).
4. The downloaded file is injected to the “wininit.exe” process (which is legitimate) in order to evade detection and maintain persistency in the system.
5. After the injected file is executed on the victim machine, it will try and steal a variety of credentials (web login credentials, banking login credentials, the clipboard content, etc.)
“Any infection with the Formbook malware increases drastically the risk of identity theft, as well as compromising an array of accounts, including but not limited to online banking accounts,” Zalaluchin explained.
The WHO issued an alert to be on the lookout for any criminals trying to impersonate them via various mediums (emails, websites, phone calls, text messages, etc.), and stated that the WHO will:
• Never ask you to login to view safety information
• Never email attachments you didn’t ask for
• Never ask you to visit a link outside of www.who.int
• Never charge money to apply for a job, register for a conference, or reserve a hotel
• Never conduct lotteries or offer prizes, grants, certificates or funding through email
• Never ask you to donate directly to emergency response plans or funding appeals.
Name recommended the following mitigation strategy:
“In addition, prior knowledge is key in raising awareness and preventing successful phishing attacks,” Zalaluchin said. “We must be constantly vigilant, including during emergencies like Coronavirus and future public health crises.”