From Human to Digital Infection: Coronavirus Phishing Scam Signals a New Low

On March 7th, an ongoing Coronavirus themed phishing attack was identified. This attack impersonates the World Health Organization (WHO) in order to trick victims to install “Formbook” (information stealing malware) on their machines.

The malicious messages appear as if they are sent by WHO, with updates regarding the Coronavirus outbreak, which makes the phishing messages look legitimate.

This attack was brought to our attention by Shai Zalaluchin, CTO, Cybrella, a Boston-based consulting company which specializes in advanced Cybersecurity solutions including risk management, penetration testing, yber training, and Cyber Intelligence

“While it is difficult for any of us to believe,” Zalaluchin said, “there are those bad actors who try to leverage a global health crisis, a pandemic, to attack systems and steal data or disable those systems. We are committed to informing as many people as possible, as quickly as possible, about this threat.”

Here’s how the attack works:

1.            The victim receives an email message (which seems to be from the WHO) with a “.zip”.

2.            Within the “.zip” file, there is an additional “.exe” file called “MyHealth.exe”, which is referenced in the phishing email (as “MY-HEALTH.PDF”), tricking the user into executing the “.exe” file without paying attention to the fact it is not a “.pdf” file (as mentioned in the email).

3.            The executable is actually “GuLoader” (a malware downloader), which when executed installs an encrypted file from Google (News - Alert) Drive.

4.            The downloaded file is injected to the “wininit.exe” process (which is legitimate) in order to evade detection and maintain persistency in the system.

5.            After the injected file is executed on the victim machine, it will try and steal a variety of credentials (web login credentials, banking login credentials, the clipboard content, etc.)

“Any infection with the Formbook malware increases drastically the risk of identity theft, as well as compromising an array of accounts, including but not limited to online banking accounts,” Zalaluchin explained.

The WHO issued an alert to be on the lookout for any criminals trying to impersonate them via various mediums (emails, websites, phone calls, text messages, etc.), and stated that the WHO will:

•             Never ask you to login to view safety information

•             Never email attachments you didn’t ask for

•             Never ask you to visit a link outside of www.who.int

•             Never charge money to apply for a job, register for a conference, or reserve a hotel

•             Never conduct lotteries or offer prizes, grants, certificates or funding through email

•             Never ask you to donate directly to emergency response plans or funding appeals.

Name recommended the following mitigation strategy:

• Immediately raise awareness of users, and instruct them to:
• Never open suspicious emails. Any “Act Now!”, “Urgent Alert” or similar should be treated with caution, as they can be regarded as warning signs of a Phishing attempt.
• Even if an email doesn’t look suspicious, do not click on links in an email (or message boards \ mailing lists) or open attachments.
• Pay attention to the actual URLs included in emails.
• Never submit credentials on embedded forms \ forms you were directed to from an email (or other similar sources).
• Ensure that anti-virus and other applications (such as the web-browser) are updated and have the most recent security patches applied.
• Report anything suspicious for further investigation.

“In addition, prior knowledge is key in raising awareness and preventing successful phishing attacks,” Zalaluchin said. “We must be constantly vigilant, including during emergencies like Coronavirus and future public health crises.”